Cert Manager

Using cert-manager with Akeyless Certificate Automation

You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.

To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.

Once cert-manager is installed and running in your cluster, you’ll need to create at least 3 objects to work with the producer:

Secret - The credentials to your Akeyless account.

Issuer- The name of your Certificate Automation producer.

Certificate(s) - Certificates created based on your previously created Issuer.

The Secret object allows cert-manager to connect to Akeyless:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: my-secret
data:
  token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"

The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:

access_id..acces_key | base64
# e.g
echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=

📘

Note:

The API Key token should be a concatenation of your access_id and your access_key with double dots as a delimiter.

Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path should always start with pki/sign before the real path inside Akeyless

The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-issuer
spec:
  vault:
    path: pki/sign/my-cert-automation-producer
    server: http://my-akeyless-gw.example.company.com:8200
    auth:
      tokenSecretRef:
          name: my-secret
          key: token

The my-cert-automation-producer under the Path key is the name of the producer (it can also be a name inside a folder (folder/my-cert-automation-producer).

The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.

The tokenSecretRef key is a reference to the previously created secret for credentials.

Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to akeyless.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
spec:
  commonName: cert-man.example.company.com
  dnsNames:
    - cert-man.example.company.com
  secretName: secret-my-certificate
  issuerRef:
    name: my-issuer

The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here - https://cert-manager.io/docs/concepts/certificate/

When finished, validate your Certificate has been issued via kubectl get my-certificate

$ kubectl get my-certificate
NAME             READY   SECRET                  AGE
my-certificate   True    secret-my-certificate   1m

Your certificate information can be found at secret-my-certificate.