This article introduces cert-mangager, which is somewhat similar to certbot, but the difference is that it works in Kubernetes.
cert-manager is an automated certificate management tool that automates the issuance and management of digital certificates from various sources and for various purposes in a Kubernetes cluster. It will ensure that certificates are valid and automatically renew them at the appropriate time.
Note: The object managed by cert-manager is “certificate”. If you only need to use asymmetric encrypted public-private key pairs for JWT signing, data encryption and decryption, consider using secrets management tool Vault directly.
1. Deployment
reference: https://cert-manager.io/docs/installation/helm/
Officially, a variety of deployment methods are available, and the method of installation using helm3 is as follows.
|
|
2. Creating Issuers
cert-manager supports a variety of issuers, and you can even create your own Issuer through its standard API.
But in general, there are only three types of Issuer.
- Public Trusted Certificate signed by authoritative CA: this type of certificate will be trusted by browsers, applets and other third-party applications/service providers
- Locally signed certificates: i.e. digital certificates signed by local CA certificates
- Self-signed certificate: i.e. the certificate is signed by the private key of the certificate itself
The following describes how to apply for a public certificate and a locally signed certificate.
1. Create public network trusted certificate through authority
A public trusted certificate created by an authority can be directly applied to the border gateway to provide TLS encrypted access services to public network users, such as various HTTPS sites and APIs. This is the most widely demanded type of digital certificate service.
cert-manager supports two ways to apply for public network trusted certificates.
- ACME(Automated Certificate Management Environment (ACME) Certificate Authority server) Certificate Automation Application and Management Agreement.
- venafi-as-a-service: venafi is a centralized certificate management platform that also provides the cert-manager plug-in for automating the application of four types of public network trusted certificates, DigiCert/Entrust/GlobalSign/Let’s Encrypt.
Here we mainly introduce the application of public network certificate using ACMEv2 protocol. The authorities that support the application of certificate using this open protocol are
- Free service
- Let’s Encrypt: It is well known that it provides free certificates with three months validity.
- ZeroSSL: Seems to be a more famous SSL certificate service as well
- Supports unlimited number of 90-day certificates via ACME protocol, also supports multi-domain certificates and pan-domain certificates.
- Paid Services
- DigiCert: This is very famous (but also quite expensive), official documentation Digicert - Third-party ACME client automation
- Google Trust Services: Google’s public certificate service, also valid for three months, has a root certificate that cross-validates GlobalSign. official documentation Automate Public Certificates Lifecycle Management via RFC 8555 (ACME)
- Entrust: Official Documents Entrust’s ACME implementation
- GlobalSign: Official Documents GlobalSign ACME Service
Here is also an introduction to the hierarchy of certificates by fee-based certificate services and how they should be selected.
- Domain Validated (DV) certificates
- Only validates domain ownership, with the fewest validation steps, lowest price, and takes only a few minutes to issue.
- The advantage is that they are easy to issue and are great for automation.
- The free certificates provided by various cloud vendors (AWS/GCP/Cloudflare, and Vercel/Github’s site services) for their own services are DV certificates, and Let’s Encrypt’s certificates are of this type.
- Obviously these certificates are all very easy to issue and only verify domain ownership.
- But the DV certificates provided by AWS/GCP/Cloudflare/Vercel/Github all work only on their cloud services and do not provide private key functionality!
- Organization Validated (OV) Certificates
- It is the first choice for enterprise SSL certificate and ensures the authenticity of enterprise SSL certificate through enterprise certification.
- In addition to domain ownership, CA authorities also review the authenticity of the organization and enterprise, including registration status, contact information, malware, etc.
- If you want to be more compliant, you probably have to use at least the OV level of certification as well.
- Extended Validation (EV) certificate
- The most stringent form of certification where CA organizations review in-depth information on all aspects of the organization and business.
- Considered suitable for organizations or businesses such as large corporations, financial institutions, etc.
- And it only supports issuing single-domain and multi-domain certificates, and does not support issuing pan-domain certificates. The highest security.
ACME supports two types of domain name authentication methods, HTTP01 and DNS01, among which DNS01 is the easiest method.
The following is an example of how to apply a Let’s Encrypt certificate with AWS Route53. (Please refer to the official documentation for the configuration of other DNS providers)
1.1 AWS IAM Authorization
First you need to create an OIDC provider for the EKS cluster.
The cert-manager needs access to query and update Route53 records, so you need to create an IAM Policy using the following configuration, which can be named <ClusterName>CertManagerRoute53Access
(note the replacement of <ClusterName>
).
|
|
For example, use awscli to create this policy.
The above configuration then creates an IAM Role and automatically adds a trust relationship to the EKS cluster where the cert-manager is located.
|
|
After that, you need to add an annotation to the ServiceAccount of the cert-manager to bind the IAM Role you just created above.
First create the helm values file cert-manager-values.yaml
as follows.
|
|
Then redeploy the cert-manager:
|
|
This completes the authorization.
1.2 Creating an ACME Issuer
Create an Iusser in the xxx namespace.
|
|
1.3 Creating a certificate through ACME and troubleshooting problems
https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources
Create the certificate using the following configuration and save the certificate to the specified Secret.
|
|
After deploying the Certificate, describe it to see the current progress.
|
|
If you find that the certificate has not been ready for a long time, you can refer to Official Document - Troubleshooting Issuing ACME Certificates and conduct a layer-by-layer check according to the certificate application process.
- First, cert-manager finds that the Secret described in the Certificate does not exist, and starts the certificate application process.
- Firstly, generate the private key and store it in a temporary Secret
- Then generate the CSR certificate request file with the private key and other information in the Certificate resource
- This is also a CRD resource, which can be viewed by
kubectl get csr -n xxx
.
- This is also a CRD resource, which can be viewed by
- Then submit the CSR file to the ACME server and request the certificate issued by the authority.
- This corresponds to the CRD resource
kubectl get order
.
- This corresponds to the CRD resource
- For the above ACME certificate application process, Order will actually generate a DNS1 Challenge resource
- You can check this resource through
kubectl get challenge
.
- You can check this resource through
- After the challenge is verified, it will go backward layer by layer, and the Order CSR status in front will become valid immediately.
- Finally, the certificate is issued successfully, the Certificate status becomes Ready, and all Order CSR challenge resources are automatically cleaned up.
1.4 Creating a certificate via csi-driver
Certificates created directly using the Certificate
resource are stored in Kubernetes Secrets and are not considered secure enough. The cert-manager csi-driver avoids this pitfall, specifically, it improves security by doing the following.
- Ensuring that the private key is stored only on the corresponding node and mounted to the corresponding Pod, completely preventing the private key from being transmitted over the network.
- Each copy of the application uses its own generated private key, and ensures that the certificate and private key always exist during the life of the Pod.
- Automatic certificate renewal
- When a copy is deleted, the certificate is destroyed.
In a nutshell, csi-driver is mainly used to improve security, you can read the documentation yourself if you need, so I won’t introduce more.
2. Certificate issuance through private CA
Private CA is a kind of CA certificate generated by enterprises themselves, which is usually used by enterprises to build their own PKI infrastructure.
In the application scenario of TLS protocol, the certificate issued by Private CA is only suitable for internal use in the enterprise and must be installed on the client to access the Web API or site encrypted by its signed digital certificate normally. Note: Private CA-signed digital certificates are not trusted on the public network!
The Private CA services provided by cert-manager are.
- Vault: The big name, Vault is a password-as-a-service tool that can be deployed in K8s clusters and provides many password and certificate related features.
- Open source and free
- AWS Certificate Manager Private CA: The same CA functionality as Vault, except it is hosted and maintained by AWS.
- Each Private CA certificate: $400/month
- One-time fee per issued certificate (only after reading the private key and certificate content) in a ladder, $0.75 per certificate for 0-1000 or less
- See the documentation for the rest…
This is not used for the time being, so it has not been studied, after there is research to add.
3. cert-manager integrates with istio/ingress and other gateways
The Certificate
resource provided by cert-manager will store the generated public and private keys in Secret, and Istio/Ingress both support this format of Secret, so it is quite simple to use.
Take Istio Gateway as an example, just specify the Secret name directly on the Gateway resource.
|
|
Then, with resources such as VirtualService, you can combine Istio with cert-manager.
4. Mount the cert-manager certificate to the custom gateway
Note, do not use
subPath
mount, according to the official documentation The Secret file is not automatically updated when mounted this way!
Since the certificate is stored in the Secret, it can be mounted directly to Pods as a data volume, as shown in the example below.
|
|
For nginx, you can simply get a sidecar to monitor and reload nginx when there is a configuration change to achieve automatic certificate updates.
Or you can consider writing a k8s informer to monitor changes to the secret and reload all nginx instances when there are changes.
5. Notes
There are many optimization points for server-side TLS protocol configuration, and some configurations are obvious for performance improvement, so it is recommended to search relevant information online by yourself, and only some relevant information is listed here.
OCSP certificate verification protocol will greatly slow down the response speed of HTTPS protocol
If the client directly requests the OCSP server of CA organization to verify the certificate status through OCSP protocol, this will significantly slow down the response speed of HTTPS protocol, and the performance of the OCSP site of CA organization itself will also be greatly affected.
Solution: The HTTPS server must enable OCSP stapling function, which enables the server to access OCSP in advance to obtain certificate status information and cache it locally, so that when the client accesses using TLS protocol, the cached OCSP information will be sent to the client directly during the handshake phase, thus completing the certificate status verification. Because the OCSP information will carry the signature and validity of CA certificate, it is impossible for the server to forge it, which can also ensure the security.