Venafi Cert Manager
Akeyless officially integrates with Cert Manager, and this guide demonstrates the integration based on Venafi Dynamic Secret, for a direct integration with Akeyless, follow the main Cert Manager guide.
Using cert-manager with Akeyless and Veanfi Dynamic Secret
You can have Cert Manager deployed in a cluster and use Akeyless to generate certificates.
To do so, you first need to install Cert Manager custom resource definitions for your cluster to support using cert-manager.
Once cert-manager is installed and running in your K8s cluster, you’ll need to create the following three K8s objects to work with the dynamic secret:
Secret - The credentials to your Akeyless account.
Issuer - The name of your Venafi Dynamic secret.
Certificate(s) - Certificates created based on your previously created Issuer.
Authentication
The following Authentication Methods are supported:
The Secret object allows cert-manager to connect to Akeyless:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-secret
data:
token: "<Token>"
The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:
access_id..acces_key | base64
Note
The API Key token should be a concatenation of your
access_id
and youraccess_key
with double dots as a delimiter.Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path in the yaml should always start with the prefixpki/sign/
prior to the item path in Akeyless
The Issuer object is what allows the cert-manager to call Akeyless with the appropriate dynamic secret.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-issuer
spec:
vault:
path: pki/sign/my-cert-automation-dynamic-secret
server: http://my-akeyless-gw.example.company.com:8000/hvp # or using 8200 post
auth:
tokenSecretRef:
name: my-secret
key: token
The my-cert-automation-dynamic secret
under the path entry is the full name of the Dynamic Secret in Akeyless.
The Server entry sets with the Akeyless Gateway where the Venafi dynamic secret has been created, using port 8200
.
The tokenSecretRef key is a reference to the previously created secret for credentials.
Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to Akeyless.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
spec:
commonName: cert-man.example.company.com
dnsNames:
- cert-man.example.company.com
secretName: secret-my-certificate
issuerRef:
name: my-issuer
The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here.
When finished, validate your Certificate has been issued via kubectl get my-certificate
$ kubectl get my-certificate
NAME READY SECRET AGE
my-certificate True secret-my-certificate 1m
Updated 8 days ago