search

gardener / cert-management

Manages TLS certificates in Kubernetes clusters using custom resources
Apache License 2.0
32 stars 22 forks source link

create self-signed certificates for local domains #183

Open jkleinlercher opened 2 months ago

jkleinlercher commented 2 months ago

What would you like to be added:

Gardener Cert-Manager Issuer should be able to create self-signed certificates.

Why is this needed:

We use the project Kargo and there in https://github.com/akuity/kargo/blob/main/charts/kargo/templates/webhooks-server/cert.yaml a certificate for dnsName "kargo-webhooks-server.{{ .Release.Namespace }}.svc" is created, to enable a TLS connection between the Kubernetes-API server and this admissioncontroller webhook.

The Project normally creates its own issuer to create a selfSigned certificate: https://github.com/akuity/kargo/blob/main/charts/kargo/templates/common/cert-issuer.yaml

Look at .spec.selfSigned

So we do not want to install cert-manager but use the gardener cert-manager to create a certificate. However, I didn't find a way to create self-signed certificates the way the cert-manager does.

Maybe someone can explain how to achieve this with the current features of gardener cert-management?

RaphaelVogel commented 1 month ago

Hi @jkleinlercher Yes this is possible, but probably not perfectly documented. See here.

The following steps need to be done: 1) Configure your shoot to allow custom issuers in the shoot cluster. By default issuers are created in the control plane of your cluster.

kind: Shoot
...
spec:
  extensions:
  - type: shoot-cert-service
    providerConfig:
      apiVersion: service.cert.extensions.gardener.cloud/v1alpha1
      kind: CertConfig
      shootIssuers:
        enabled: true # if true, allows to specify issuers in the shoot cluster
...

2) Create a self signed certificate and a private key

openssl req \
       -x509 -days 365 -newkey rsa:2048 -sha256 -nodes \
       -keyout key.pem -out cert.pem \
       -subj '/CN=host.example.com'

3) Create a tls secret from self signed cert in your shoot cluster

kubectl create secret tls ca-secret --cert=cert.pem --key=key.pem

4) Create an issuer in your shoot cluster referencing the tls secret

apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
  name: issuer-ca
  namespace: default
spec:
  ca:
    privateKeySecretRef:
      name: ca-secret
      namespace: default

5) Create a cert resource and apply to your shoot cluster

apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
  name: cert-simple
  namespace: default
spec:
  commonName: cert1.mydomain.com
  dnsNames:
  - cert1-foo.mydomain.com
  - cert1-bar.mydomain.com
  # if issuer is not specified, the default issuer is used
  issuerRef:
    name: issuer-ca
    namespace: default  # must be specified when issuer runs in shoot!
jkleinlercher commented 1 month ago

Hey @RaphaelVogel thank you so much for this detailed explanation. This helps a lot! On the other hand, it also shows me that it is much more complicated than in cert-manager, where I can create a selfsigned-issuer just with this without creating any ca-secret.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}

I fully understand the spec extension in the shoot spec. However, creating a certificate and a secret brings me in the situation that I need to manage this secret somehow.

Is there a easier way like "spec.selfSigned" in cert-manager planned? https://cert-manager.io/docs/configuration/selfsigned/

RaphaelVogel commented 1 month ago

@jkleinlercher, We are working on an solution which is comparable to the one provided by the cert-manager