Kubernetes Certificates

Handling SSL Certificate generation and renewal in Kubernetes can be automated. The tool used is cert-manager

definition

create a certificate definition and apply it to kubernetes

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
spec:
  secretName: my-certificate-secret
  dnsNames:
  - my-host.acoinn.in.c.k8s.acc.gsi.de
  issuerRef:
    name: default-issuer
    kind: ClusterIssuer

We request a certificate. It should be valid for the hostname my-host.acoinn.in.c.k8s.acc.gsi.de, the certificate should be generated by the (centrally configured) ClusterIssuer acme. The resulting certificate and the private key is stored in the my-certiticate-secret.

Wait five minutes and the Certificate should be ready

inspecting

[handel@asl503 ~]$ kubectl describe certificate my-certificate
...
Status:
  Conditions:
    Last Transition Time:  2022-07-13T07:46:11Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-08-12T07:45:49Z
  Not Before:              2022-07-13T07:44:49Z
  Renewal Time:            2022-08-02T07:45:29Z

and the secret with the certificate+key become available

[handel@asl503 ~]$ kubectl describe secret my-certificate-secret
...

we can dump the secret definition, extract the certificate, base64 decode it, and parse it with openssl

[handel@asl503 ~]$ kubectl get secret my-certificate-secret -o json \
  |jq -r .data.\"tls.crt\" \
  |base64 -d \
  |openssl x509 -in - -noout -text

background

cert-manager monitors all Certificates with the right annotation. It creates a CertificatRequest for them

[handel@asl503 ~]$ kubectl describe certificate my-certificate
...
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    35s   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  35s   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "my-certificate-xm5mt"
  Normal  Requested  35s   cert-manager-certificates-request-manager  Created new CertificateRequest resource "my-certificate-kfdbs"

So we create a temporary secret (think file) with a new private key. Then create a CertificateRequest (certificate signing request)

[handel@asl503 ~]$ kubectl describe certificaterequest my-certificate-kfdbs
...
Events:
  Type    Reason             Age   From                                          Message
  ----    ------             ----  ----                                          -------
  Normal  OrderCreated       107s  cert-manager-certificaterequests-issuer-acme  Created Order resource acoinn/my-certificate-kfdbs-4412190

The request must be signed by a certificate authority (issuer). The cluster is configured, cert-manager will automaticly create an order.

The Order contacts the issuer. The issuer in our case is an acme (letsencrypt) instance. Which requires us to place a file on the webserver(s) for which we want to have a certificate. This is called an acme http challenge. Luckily cert-manager will take care of this and create a Challenge.

-- ChristophHandel - 13 Jul 2022