Cert-Manager

Cert-Manager builds on top of Kubernetes and OpenShift to provide X.509 certificates and issuers as first-class resource types.

DNS-01 validation

To get a Certificate, Cert-Manager creates a CertificateRequest that uses an Issuer (or ClusterIssuer) to manage the process of creating/managing the cert.

For LetsEncrypt DNS-01 validation, the Issuer will create an Order and a Challenge to validate ownership of the domain associated with the cert.

Staging and production are provided as two separate ClusterIssuer resources: letsencrypt-staging and letsencrypt-production. Point a Certificate’s issuerRef at the staging ClusterIssuer to provision a test certificate before switching to production:

# review k8s objects
kubectl get CertificateRequest -n network
kubectl get Order -n network
kubectl get Challenge -n network

# once the DNS challenge has propagated
kubectl get Certificate -n network

⚠️ Rate Limits

  • Let’s Encrypt rate limits can be mitigated by testing with the letsencrypt-staging ClusterIssuer before switching to letsencrypt-production.
  • Check on your requests count w/r/t rate limits here: https://crt.sh/

🔀 Cross-namespace certs

Cluster can use reflector to copy secrets across namespaces. In particular, this can share the tls certificates from network to security.

Process

  1. reflector will check secrets for an annotation indicating it may be replicated to other namespaces

    apiVersion: v1
    kind: Secret
    metadata:
      name: <SECRET_NAME>
      namespace: <SECRET_NAMESPACE>
      annotations:
        reflector.v1.k8s.emberstack.com/reflection-allowed: 'true'
        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ns1,ns2,...   # "" (empty) == all namespaces
        # automatically create mirrored resources
        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: 'true'
        reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: ns1, ns2
        #