CSI DriversPreview
Cert-manager issued certificates can be mounted directly to workloads using CSI Drivers.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Create an example setup with csi-driver-spiffe
Installing csi-driver-spiffe requires disabling the default certificate request approval mechanism on cert-manager as csi-driver-spiffe has its own certificate requests approver responsible for verifying that the identity of the requester matches that encoded by the SVID. TLS Protect for Kubernetes Operator always disables the default approver and by default creates an 'allow-all' CertificateRequestPolicy for each issuer. It will not create this policy for the issuer that is configured to be used with csi-driver-spiffe on an Installation resource.
Apply Installation resource:
kubectl apply -f - <<EOFapiVersion: operator.jetstack.io/v1alpha1kind: Installationmetadata:name: spiffe-workload-certsspec:issuers:- name: spiffe-caclusterScope: trueca:secretName: spiffe-caselfSignedCA:commonName: spiffe-casubject:organizations:- cluster.localcertManager: {}approverPolicy: {}images:secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstartcsiDrivers:certManagerSpiffe:issuerRef:name: spiffe-cakind: ClusterIssuerEOF
For this Installation TLS Protect for Kubernetes Operator will create:
-
cert-manager installation in jetstack-secure namespace with the default certificate requests approver disabled
-
a spiffe-ca cluster-scoped CA issuer, a self-signed issuer that issues the root cert for the CA issuer and the actual root cert[1]
-
a csi-driver-spiffe installation in jestack-secure namespace, configured to work with the spiffe-ca issuer
-
an approver-policy installation in jetstack-secure namespace
-
a CertificateRequestPolicy for the self-signed issuer only (not the CA issuer used by csi-driver-spiffe) and RBAC that allows cert-manager's ServiceAccount use this policy
Wait for the Installation to become ready:
kubectl wait --for=condition=Ready=True installation/spiffe-workload-certs --timeout=60s
This should not take more than a minute or a few.
Observe information about the created components and resources on Installation spec:
kubectl get installation spiffe-workload-certs -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Deploy an example application with workloads that mount SPIFFE certificates via csi-driver-spiffe:
kubectl apply -f https://platform.jetstack.io/documentation/configuration/js-operator/csi/spiffe-sample-deployment.yaml
This command creates:
-
a sandbox namespace
-
an example-app Deployment in the sandbox namespace that specifies csi-driver-spiffe volume mounts
-
RBAC that allows the ServiceAccount of my-app to create CertificateRequests
Observe that the volumes with the certificates get created and the pods become ready.
Next steps
- 1.
a CA issuer backed by a root cert issued by the self-signed issuer is not recommended to be used in production ↩