You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Kubernetes/cert-manager

From Wikitech-static
< Kubernetes
Revision as of 17:41, 6 January 2022 by imported>JMeybohm
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

cert-manager adds (besides others) a Certificate CRD to the Kubernetes clusters which automates obtaining and renewing of TLS certificates. A so called Issuer component, the cfssl-issuer is used as a bridge to our PKI which does the actual signing.

Components:


All components are installed to clusters using the install_cert_manager toggle in helmfile.d/admin_ng/helmfile.yaml

Configuration

While cert-manager is deployed with default config, cluster operators need to provide at least one CFSSLClusterIssuer/Issuer object that defines URL, credentials and configuration of the PKI server as well as which label (CFSSL wording for intermediate CA) and signing profile/policy to use.

This is all taken care of by the cfssl-issuer helm-chart

Monitoring

A Grafana dashboard can be found at: https://grafana-rw.wikimedia.org/d/vo5tiJTnz/cert-manager