Prerequisites:
Test environment to run Kubernetes. Linux, windows or mac.
Example resources Linux:
2 CPUs
4GB of free memory
20GB of free disk space
Internet connection
Container or virtual machine manager such as: Docker, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMWare
Install a container or virtual machine manager
https://docs.docker.com/engine/install/ubuntu/
Install a Kubernetes environment
-
- https://kubernetes.io/docs/tasks/tools/
- There are multiple options for setting this up depending on your use case. Some simple options for a dev environment are “Kind” or “Minikube”. Kubeadm is argued to be the defacto deployment option for production k8s environments. A KB on how to setup a kubeadm k8s deployment can be found here.
- In this example, we will use Minikube. https://minikube.sigs.k8s.io/docs/start/
- Navigate through step 3. You may continue to further steps if desired.
- A Container Runtime is required. You can find more information here about installing: https://kubernetes.io/docs/setup/production-environment/container-runtimes/
- If using docker, you may run into a permission denied error during initializing minikube. Command to resolve:
-
sudo usermod -aG docker $USER && newgrp docker
- Minikube installs its own version of Kubectl (kubenetes cli). You access kubectl commands by:
minikube kubectl -- <kubectl commands>
This is a bit cumbersome. To fix this, run the following:
sudo ln -s $(which minikube) /usr/local/bin/kubectl
- Confirm kubectl is installed successfully:
-
kubectl get po -A
- You now have a running k8s environment using Minikube
Installation of Cert-manager
-
- https://cert-manager.io/docs/installation/
- Recommend a static install:
-
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
- Cert-manager may need a couple minutes to fully install and start the needed pods.
- Manual verification
-
kubectl get pods --namespace cert-manager
- If all pods are in a running state, your installation of Cert-Manager was successful. If all aren't in a running state, give it a couple minutes and run the command above once more.
- **special note** Cert manager creates a cert-manager namespace by default
Configure a Venafi Issuer for Cert-manager
-
- https://cert-manager.io/docs/configuration/venafi/
- First, you must enable Token Authentication (Oauth) within Venafi. This article outlines how to setup OAuth in Postman: https://support.venafi.com/hc/en-us/articles/360057963991-How-To-Setup-Postman-to-use-OAuth
- Once you get your access token, copy it and paste it into a secret in the Kubernetes cluster:
-
kubectl create secret generic tpp-secret --namespace=<namespace of your issuer resource> --from-literal=access-token=’Your_TPP_ACCESS_TOKEN’
- Next create your issuer file referencing your tpp server and tpp secret you just created.
-
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: tpp-issuer namespace: <NAMESPACE YOU WANT TO ISSUE CERTIFICATES IN> spec: venafi: zone: devops\cert-manager # Set this to the Venafi policy folder you want to use tpp: url: https://tpp.venafi.example/vedsdk # Change this to the URL of your TPP instance caBundle: <base64 encoded string of caBundle PEM file, or empty to use system root CAs> credentialsRef: name: tpp-secret
- Apply the issuer: (Must have valid Venafi Operational Certificate and reference the Root in the caBundle variable in base64 format https://www.base64encode.org/
- kubectl apply -f tpp-issuer.yaml
- *Do you have the proper zone created in your tpp policy tree that matches your issuer zone
- You may receive a couple of errors when applying:
-
Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get https://tppurl/vedsdk/: x509: certificate signed by unkown authority
-
Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get "https://<tppurl>/vedsdk/": dial tcp: lookup <tppurl> on *IP*:53: no such host
- First error: your CA trust bundle must be a base64 encoded string of caBundle PEM file, or empty to use system root CAs
- Second error: This is because we need to setup a hosts entry in k8s hosts file CoreDNS:https://support.venafi.com/hc/en-us/articles/4410235467789-How-To-Kubernetes-CoreDNS-Hosts-Update
Creating Certificates
-
- Save the following YAML file, make changes to the domain name as needed to create a certificate and apply it.
-
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert1.(yourDomain)
namespace: cert-manager
spec:
secretName: cert1.(yourDomain)
dnsNames:
- cert1.(yourDomain)
commonName: cert1.(yourDomain)
issuerRef:
name: tpp-issuer
kind: Issuer -
touch cert1.yaml
-
sudo nano cert1.yaml (make changes to match your environment variables)
-
kubectl apply -f cert1.yaml (This sends the cert request to your tpp issuer.)
- Navigate to your zone (Policy folder) on your tpp server and you should see your newly created certificate.
You now have a working Kubernetes environment with cert-manager installed. You have a functioning connection to your Venafi issuer and can successfully issue certificates through Cert-Manager
Comments