Cert Manager
Using cert-manager with Akeyless Certificate Automation
You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.
To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.
Once cert-manager is installed and running in your K8s cluster, you’ll need to create the following three K8s objects to work with the producer:
Secret - The credentials to your Akeyless account.
Issuer - The name of your Certificate Automation producer.
Certificate(s) - Certificates created based on your previously created Issuer.
Authentication
The following Authentication Methods are supported:
The Secret object allows cert-manager to connect to Akeyless:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-secret
data:
token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"
The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:
access_id..acces_key | base64
# e.g
echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=
Note
The API Key token should be a concatenation of your
access_id
and youraccess_key
with double dots as a delimiter.Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path in the yaml should always start with the prefixpki/sign/
prior to the item path in Akeyless
The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-issuer
spec:
vault:
path: pki/sign/my-cert-automation-producer
server: http://my-akeyless-gw.example.company.com:8200
auth:
tokenSecretRef:
name: my-secret
key: token
The my-cert-automation-producer
under the Path field is the name of the producer in Akeyless (it can also be a full path, where the producer is inside a folder, i.e., folder/my-cert-automation-producer
).
The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.
The tokenSecretRef key is a reference to the previously created secret for credentials.
Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to Akeyless.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
spec:
commonName: cert-man.example.company.com
dnsNames:
- cert-man.example.company.com
secretName: secret-my-certificate
issuerRef:
name: my-issuer
The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here.
When finished, validate your Certificate has been issued via kubectl get my-certificate
$ kubectl get my-certificate
NAME READY SECRET AGE
my-certificate True secret-my-certificate 1m
Your certificate information can be found at secret-my-certificate
.
Updated about 2 months ago