CFSSL Issuer
CFSSL Issuer is a controller that extends Jetstack's cert-manager to add an issuer that uses a
CFSSL server to sign certificate requests.
Installation
This controller requires a cert-manager version of > v0.11.0 and a running CFSSL server
Helm
TBD
Manually
git clone git@github.com:OpenSource-THG/cfssl-issuer.git
cd cfssl-issuer
kubectl apply -f deploy
Configuration
Once installed we need to configure either a CfsslIssuer or CfsslClusterIssuer resource.
Deployment
All CFSSL issuers share common configuraton for requesting certificates, namely the URL, Profile and CA Bundle
- URL is the url of a CFSSL server
- Profile is an optional field, denoting which profile cfssl should use when signing a Certificate
- CA Bundle is a base64 encoded string of the Certificate Authority to trust the CFSSL connection. The controller will
also asusme that this is the CA used when signing the Certificate Request
Below is an example of a namespaced and cluster scoped configuration
kind: CfsslIssuer
apiVersion: certmanager.thg.io/v1beta1
metadata:
name: cfsslissuer-server
spec:
url: https://cfsslapi.local
caBundle: <base64-encoded-ca>
kind: CfsslClusterIssuer
apiVersion: certmanager.thg.io/v1beta1
metadata:
name: cfsslissuer-server
spec:
url: https://cfsslapi.local
caBundle: <base64-encoded-ca>
The controller assumes that the cfssl api is secured via TLS using the provided CA Bundle and that the certs are signed by the same CA.
Certificates are then created via normal cert-manager flow referencing the issuer. As opposed to builtin issuers the group and kind
must be explicitly defined.
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
spec:
secretName: example-com-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: example.com
dnsNames:
- example.com
- www.example.com
issuerRef:
name: cfsslissuer-server
group: certmanager.thg.io
kind: CfsslIssuer