certificate-operator
A Kubernetes operator designed to manage Certificate
resources by interfacing with the Cert
API.
It automates the process of obtaining and renewing TLS certificates
from Cert
and managing them as Kubernetes secrets.
Install with Helm
Helm chart docs are available on charts/nfspvc-operator
directory.
$ helm upgrade --install certificate-operator --namespace certificate-operator --create-namespace oci://ghcr.io/dana-team/helm-charts/certificate-operator --version <release>
Features
- TLS Secret creation: Automatically creates a
secret
of type tls
in the requested name and namespace. The tls.crt
and tls.key
are extracted from the Certificate
obtained from Cert
.
- Automatic Certificate Renewal: Automatically renews
TLS Certificates
before they expire, ensuring continuous security for your applications.
Resources
Certificate
- Manages specifications for creating certificates.
- Contains details about the certificate's validity period (
validFrom
and validTo
) and the current state of the certificate.
- Provides insights into the certificate's signature
hash algorithm
, and GUID
.
Note: The fields in the Spec
are all optional, not all have to be specified.
apiVersion: cert.dana.io/v1alpha1
kind: Certificate
metadata:
name: certificate-sample
spec:
certificateData:
subject:
commonName: "example"
country: "ex"
state: "example"
locality: "example"
organization: "example"
organizationUnit: "example"
san:
dns:
- "www.example.com"
ips:
- "192.168.1.1"
template: "default"
form: pfx
configRef:
name: "certificateconfig-sample"
secretName: my-secret-new
CertificateConfig
- Stores configuration details required for interacting with the external
Cert
API service.
- Specifies settings such as
daysBeforeRenewal
and waitTimeout
, which affect interaction with the external Cert
API.
apiVersion: cert.dana.io/v1alpha1
kind: CertificateConfig
metadata:
name: certificateconfig-sample
spec:
secretRef:
name: cert-credentials
namespace: default
daysBeforeRenewal: 7
waitTimeout: 5m
The Secret
has a single key - credentials
and contains a json
with the needed keys, as specified below:
apiVersion: v1
kind: Secret
metadata:
name: cert-credentials
namespace: default
type: Opaque
stringData:
credentials: |
{
"apiEndpoint": "https://cert.com/cert-route/",
"token": "jwt-token",
"downloadEndpoint": "/down"
}
Getting Started
Prerequisites
- A Kubernetes cluster (you can use KinD).
$ make prereq
Deploying the controller
$ make deploy IMG=ghcr.io/dana-team/certificate-operator:<release>
Build your own image
$ make docker-build docker-push IMG=<registry>/certificate-operator:<tag>