TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

isolated-issuer Controller Configuration

isolated-issuer currently supports two controller options: cert-manager and kubernetes-csr.

cert-manager

The cert-manager controller listens for relevant CertificateRequests which are created in a configured target cluster, and fulfills those requests.

Configuration might look like the example below:

...
controller:
  # The namespace to hold the leader election lease for the replica group
  leaderElectionNamespace: cert-manager
  # The maximum duration that may be requested against the controller. If the
  # requested duration is larger than the maximum, the maxium will be requested
  # from the signer instead. Defaults to 24 hours. Accepts
  # [valid golang duration strings](https://golang.org/pkg/time/#ParseDuration).
  maxCSRDuration: 48h
  cert-manager:
    # Sign CertificateRequests whose Issuer Reference contains this group name
    groupName: isolated-issuer.jetstack.io
    # A PEM encoded CA certificate file that will be used to populate
    # the CA field when signing CertificateRequests
    caFile: ca.pem
    # Denote where the cert-manager controller should wait for a
    # CertificateRequests to have an approval condition before signing. Useful for
    # when using cert-manager pre v1.3, or an approver is not available.
    checkApproval: true
Copy to clipboard

An approver needs sufficient permissions in order to approve CertificateRequests that reference the isolated-issuer controller. Example manifests are available for CRD and RBAC, which give permissions to the cert-manager internal approver that approves all CertificateRequests. An empty CustomResourceDefinition is also provided which is required by cert-manager to enforce these permission checks.

kubernetes-csr

The kubernetes-csr controller listens for Kubernetes CertificateSigningRequest resources.

isolated-issuer will only sign CertificateSigningRequests that are Approved, and match the given signer name.

Clients requesting certificates can optionally use the annotation experimental.cert-manager.io/request-duration on CertificateSigningRequests to request a specific duration. Requests with a requested duration that is larger than the configured maximum will be signed using the configured maximum.

...
controller:
  # The namespace to hold the leader election lease for the replica group
  leaderElectionNamespace: kube-system
  # The maximum duration that may be requested against the controller. Defaults
  # to 24 hours. Accepts [valid golang duration
  # strings](https://golang.org/pkg/time/#ParseDuration).
  maxCSRDuration: 48h
  kubernetes-csr:
    # Sign CertificateSigningRequests whose signerName is set to this value. The
    # controller will wait for approval
    signerName: isolated-issuer.jetstack.io/mesh-1
Copy to clipboard

On this page