starlingx/docs
Code Issues Proposed changes
cb0245cfab
docs/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst
Pedro Almeida 25f9cc35db Update cert-manager version to v1 from v1alpha2 
Following the cert-manager migration to FluxCD, it was upversioned to
v1.7.1 from v0.41.2, which means we need to update our helm-chart
docs to use v1 instead of v1alpha2.

Closes-Bug: #1978858

Signed-off-by: Pedro Almeida <pedro.monteiroazevedodemouraalmeida@windriver.com>
Change-Id: I79955ed7412c0961b315f3b8a8cabd9dfce88fbf
2022-06-21 10:33:38 -03:00

3.1 KiB
Raw Blame History

Create Certificates Locally using cert-manager on the Controller

You can use cert-manager to locally create certificates suitable for use in a lab environment.

  1. Create a Root Certificate and Key.

    1. Create a self-signing issuer.

      $ echo "
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-selfsigning-issuer
spec:
  selfSigned: {}
" | kubectl apply -f -

    2. Create a Root CA certificate and key.

      $ echo "
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-rootca-certificate
spec:
  secretName: my-rootca-certificate
  commonName: "my-rootca"
  isCA: true
  issuerRef:
    name: my-selfsigning-issuer
    kind: Issuer
" | kubectl apply -f -

    3. Create a Root CA Issuer.

      $ echo "
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-rootca-issuer
spec:
  ca:
    secretName: my-rootca-certificate
" | kubectl apply -f -

    4. Create files for the Root CA certificate and key.

      $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
  2. Create and sign a Server Certificate and Key.

    1. Create the Server certificate and key.

      $ echo "
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-server-certificate
spec:
  secretName: my-server-certificate
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  commonName: 1.1.1.1
  dnsNames:
  - myserver.wrs.com
  ipAddresses:
  - 1.1.1.1
  issuerRef:
    name: my-rootca-issuer
    kind: Issuer
" | kubectl apply -f -

    2. Create the files for Server certificate and key.

      $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
$ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem

    3. Combine the server certificate and key into a single file.

      $ cat my-server-cert.pem my-server-key.pem > my-server.pem