You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org
cert-manager adds (besides others) a Certificate CRD to the Kubernetes clusters which automates obtaining and renewing of TLS certificates. A so called Issuer component, the cfssl-issuer is used as a bridge to our PKI which does the actual signing.
- cert-manager: source, Docker images, helm chart
- cfssl-issuer: source, Docker image, helm chart, helm chart (CRDs)
All components are installed to clusters using the
install_cert_manager toggle in helmfile.d/admin_ng/helmfile.yaml
While cert-manager is deployed with default config, cluster operators need to provide at least one CFSSLClusterIssuer/Issuer object that defines URL, credentials and configuration of the PKI server as well as which label (CFSSL wording for intermediate CA) and signing profile/policy to use.
This is all taken care of by the cfssl-issuer helm-chart
A Grafana dashboard can be found at: https://grafana-rw.wikimedia.org/d/vo5tiJTnz/cert-manager