Follow

HOW TO: Setup A Development Kubernetes/Cert-Manager Environment

Prerequisites:

Test environment to run Kubernetes. Linux, windows or mac.

Example resources Linux:

2 CPUs

2GB of free memory

20GB of free disk space

Internet connection

Container or virtual machine manager such as: Docker, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMWare

 

 

 

Install a container or virtual machine manager

https://docs.docker.com/engine/install/ubuntu/

 

Install a Kubernetes environment

    1. https://kubernetes.io/docs/tasks/tools/
    2. There are multiple options for setting this up depending on your use case. Some simple options for a dev environment are “Kind” or “Minikube”. Kubeadm is argued to be the defacto deployment option for production k8s environments. A KB on how to setup a kubeadm k8s deployment can be found here. In this example, we will use Minikube. https://minikube.sigs.k8s.io/docs/start/
    3. Navigate through step 3. You may continue to further steps if desired.
    4. If using docker, you may run into a permission denied error during initializing minikube. Command to resolve:
    5. sudo usermod -aG docker $USER && newgrp docker
    6. Minikube installs its own version of Kubectl (kubenetes cli). You access kubectl commands by:minikube kubectl -- <kubectl commands>This is a bit cumbersome. To fix this, run the following:
      sudo ln -s $(which minikube) /usr/local/bin/kubectl
      
      This allows you to just type kubectl instead of minikube kubectl -- <kubectl commands>
    7. Confirm kubectl is installed successfully:
    8. kubectl get po -A
    9. You now have a running k8s environment using Minikube

 

Installation of Cert-manager

    1. https://cert-manager.io/docs/installation/
    2. Recommend a static install:
    3. kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
    4. Cert-manager may need a couple minutes to fully install and start the needed pods. 
    5. Manual verification
    6. kubectl get pods --namespace cert-manager
    7. If all pods are in a running state, your installation of Cert-Manager was successful. If all aren't in a running state, give it a couple minutes and run the command above once more.
    8. **special note** Cert manager creates a cert-manager namespace by default

 

Configure a Venafi Issuer for Cert-manager

    1. https://cert-manager.io/docs/configuration/venafi/
    2. First, you must enable Token Authentication (Oauth) within Venafi. This article outlines how to setup OAuth in Postman: https://support.venafi.com/hc/en-us/articles/360057963991-How-To-Setup-Postman-to-use-OAuth
    3. Once you get your access token, copy it and paste it into a secret in the Kubernetes cluster:
    4.  kubectl create secret generic tpp-secret --namespace=<namespace of your issuer resource> --from-literal=access-token=’Your_TPP_ACCESS_TOKEN’
    5. Next create your issuer file referencing your tpp server and tpp secret you just created.
    6. apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: tpp-issuer
        namespace: <NAMESPACE YOU WANT TO ISSUE CERTIFICATES IN>
      spec:
        venafi:
          zone: devops\cert-manager # Set this to the Venafi policy folder you want to use
          tpp:
            url: https://tpp.venafi.example/vedsdk # Change this to the URL of your TPP instance
            caBundle: <base64 encoded string of caBundle PEM file, or empty to use system root CAs>
            credentialsRef:
              name: tpp-secret
    7. Apply the issuer: (Must have valid Venafi Operational Certificate and reference the Root in the caBundle variable in base64 format https://www.base64encode.org/
    8. kubectl apply -f tpp-issuer.yaml
    9. *Do you have the proper zone created in your tpp policy tree that matches your issuer zone
    10. You may receive a couple of errors when applying:
    11. Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get https://tppurl/vedsdk/: x509: certificate signed by unkown authority
    12. Error initializing issuer: Failed to setup Venafi issuer: error pinging Venafi API: Get "https://<tppurl>/vedsdk/": dial tcp: lookup <tppurl> on *IP*:53: no such host
    13. First error: your CA trust bundle must be a base64 encoded string of caBundle PEM file, or empty to use system root CAs
    14. Second error: This is because we need to setup a hosts entry in k8s hosts file CoreDNS:https://support.venafi.com/hc/en-us/articles/4410235467789-How-To-Kubernetes-CoreDNS-Hosts-Update

 

Creating Certificates

    1. Save the following YAML file, make changes to the domain name as needed to create a certificate and apply it.
    2. apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
         name: cert1.(yourDomain)
         namespace: cert-manager
      spec:
        secretName: cert1.(yourDomain)
        dnsNames:
            - cert1.(yourDomain)
        commonName: cert1.(yourDomain)
        issuerRef:
          name: tpp-issuer
            kind: Issuer
    3. Touch cert1.yaml
    4. Sudo nano cert1.yaml (make changes to match your environment variables)
    5. Kubectl apply -f cert1.yaml (This sends the cert request to your tpp issuer.)
    6. Navigate to your zone (Policy folder) on your tpp server and you should see your newly created certificate.

                    Screen_Shot_2021-11-16_at_3.54.28_PM.png

 

You now have a working Kubernetes environment with cert-manager installed. You have a functioning connection to your Venafi issuer and can successfully issue certificates through Cert-Manager

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments