Using cert-manager with Akeyless Certificate Automation
You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.
To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.
Once cert-manager is installed and running in your cluster, you’ll need to create at least 3 objects to work with the producer:
Secret - The credentials to your Akeyless account.
Issuer- The name of your Certificate Automation producer.
Certificate(s) - Certificates created based on your previously created Issuer.
The Secret object allows cert-manager to connect to Akeyless:
apiVersion: v1 kind: Secret type: Opaque metadata: name: my-secret data: token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"
The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:
access_id..acces_key | base64 # e.g echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=
The API Key token should be a concatenation of your
access_keywith double dots as a delimiter.
Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path should always start with pki/sign before the real path inside Akeyless
The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-issuer spec: vault: path: pki/sign/my-cert-automation-producer server: http://my-akeyless-gw.example.company.com:8200 auth: tokenSecretRef: name: my-secret key: token
my-cert-automation-producer under the Path key is the name of the producer (it can also be a name inside a folder (
The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.
The tokenSecretRef key is a reference to the previously created secret for credentials.
Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to akeyless.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-certificate spec: commonName: cert-man.example.company.com dnsNames: - cert-man.example.company.com secretName: secret-my-certificate issuerRef: name: my-issuer
The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here - https://cert-manager.io/docs/concepts/certificate/
When finished, validate your Certificate has been issued via
kubectl get my-certificate
$ kubectl get my-certificate NAME READY SECRET AGE my-certificate True secret-my-certificate 1m
Your certificate information can be found at
Updated 6 months ago