TLS Protect for Kubernetes
Log inCreate account

CSI DriversPreview

Cert-manager issued certificates can be mounted directly to workloads using CSI Drivers.

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Create an example setup with csi-driver-spiffe

Installing csi-driver-spiffe requires disabling the default certificate request approval mechanism on cert-manager as csi-driver-spiffe has its own certificate requests approver responsible for verifying that the identity of the requester matches that encoded by the SVID. TLS Protect for Kubernetes Operator always disables the default approver and by default creates an 'allow-all' CertificateRequestPolicy for each issuer. It will not create this policy for the issuer that is configured to be used with csi-driver-spiffe on an Installation resource.

Apply Installation resource:

kubectl apply -f - <<EOF
apiVersion: operator.jetstack.io/v1alpha1
kind: Installation
metadata:
  name: spiffe-workload-certs
spec:
  issuers:
  - name: spiffe-ca
    clusterScope: true
    ca:
      secretName: spiffe-ca
      selfSignedCA:
        commonName: spiffe-ca
        subject:
          organizations:
          - cluster.local
  certManager: {}
  approverPolicy: {}
  images:
    secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstart
  csiDrivers:
    certManagerSpiffe:
      issuerRef:
        name: spiffe-ca
        kind: ClusterIssuer
EOF
Copy to clipboard

For this Installation TLS Protect for Kubernetes Operator will create:

  • cert-manager installation in jetstack-secure namespace with the default certificate requests approver disabled

  • a spiffe-ca cluster-scoped CA issuer, a self-signed issuer that issues the root cert for the CA issuer and the actual root cert[1]

  • a csi-driver-spiffe installation in jestack-secure namespace, configured to work with the spiffe-ca issuer

  • an approver-policy installation in jetstack-secure namespace

  • a CertificateRequestPolicy for the self-signed issuer only (not the CA issuer used by csi-driver-spiffe) and RBAC that allows cert-manager's ServiceAccount use this policy

Wait for the Installation to become ready:

kubectl wait --for=condition=Ready=True installation/spiffe-workload-certs --timeout=60s
Copy to clipboard

This should not take more than a minute or a few.

Observe information about the created components and resources on Installation spec:

kubectl get installation spiffe-workload-certs -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Copy to clipboard

Deploy an example application with workloads that mount SPIFFE certificates via csi-driver-spiffe:

kubectl apply -f  https://platform.jetstack.io/documentation/configuration/js-operator/csi/spiffe-sample-deployment.yaml
Copy to clipboard

This command creates:

  • a sandbox namespace

  • an example-app Deployment in the sandbox namespace that specifies csi-driver-spiffe volume mounts

  • RBAC that allows the ServiceAccount of my-app to create CertificateRequests

Observe that the volumes with the certificates get created and the pods become ready.

Next steps

  • 1.

    a CA issuer backed by a root cert issued by the self-signed issuer is not recommended to be used in production ↩

On this page