PolicyPreview
cert-manager CertificateRequests must be approved before the issuer can issue the certificate. By default cert-manager itself approves all CertificateRequests, but a best practices installation should restrict what certificates can be issued. For an installation that does not use the TLS Protect for Kubernetes Operator, users can do that by disabling the default approval mechanism, deploying cert-manager/approver-policy and creating CertificateRequestPolicys for the issuers in the cluster.
TLS Protect for Kubernetes Operator always disables cert-manager's default approval mechanism, deploys approver-policy and creates a CertificateRequestPolicy and the necessary RBAC for each Issuer and ClusterIssuer created by the operator. By default this policy is an 'allow all', so it does not define any constraints as to what certificates can be requested from the issuer. It is meant to make it easier for users to start applying custom policy rules.
The CertificateRequestPolicy for a operator-managed issuer can be customized via installation.spec.issuers[x].policy field which is a wrapper around the CertificateRequestPolicy's spec.
Configure access to the enterprise registry
🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Create an example Installation with an issuer and a custom policy
Apply Installation resource:
kubectl apply -f - <<EOFapiVersion: operator.jetstack.io/v1alpha1kind: Installationmetadata:name: policy-examplespec:certManager: {}approverPolicy: {}images:secret: jse-gcr-creds # see https://platform.jetstack.io/documentation/configuration/js-operator/quickstartissuers:- name: foo-self-signedclusterScope: trueselfSigned: {}policy:allowed:dnsNames:values:- "*.foo.com"constraints:maxDuration: 1hsubjects:certManager: trueEOF
For this Installation TLS Protect for Kubernetes Operator will create:
-
cert-manager installation in jetstack-secure Namespace with the default approver disabled
-
approver-policy installation in jetstack-secure Namespace
-
a self-signed [1] cert-manager ClusterIssuer 'foo-self-signed'
-
a CertificateRequestPolicy for the issuer that restricts that only certificates for \*foo.com DNS names can be requested from this issuer, the minimum key size is 2048 bits and the maximum duration is 1 hour
-
RBAC that allows cert-manager ServiceAccount to use the created CertificateRequestPolicy
Wait for the Installation to become ready:
kubectl wait --for=condition=Ready installation/policy-example
This should not take more than a minute or a few.
Observe information about the created components and resources on Installation spec:
kubectl get installation policy-example -ojsonpath='{range .status.conditions[*]}{"type:"}{.type}{" status:"}{.status}{" reason:"}{.reason}{" message:"}{.message}{"\n"}{end}'
Observe created ClusterIssuer and CertificateRequestPolicy:
kubectl get clusterissuer,certificaterequestpolicy -oyaml
Create some Certificate resources:
kubectl apply -f - <<EOFapiVersion: cert-manager.io/v1kind: Certificatemetadata:name: foo-allowedspec:secretName: foo-allowedprivateKey:algorithm: RSAencoding: PKCS1size: 2048dnsNames:- "thing.foo.com"duration: 1hissuerRef:name: foo-self-signedkind: ClusterIssuergroup: cert-manager.io---apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: foo-deniedspec:secretName: foo-deniedprivateKey:algorithm: RSAencoding: PKCS1size: 2048dnsNames:- "thing.foo.com"duration: 2hissuerRef:name: foo-self-signedkind: ClusterIssuergroup: cert-manager.ioEOF
Wait for CertificateRequest for 'foo-allowed' Certificate to get approved and for CertificateRequest for foo-denied Certificate to get denied. This should happen within seconds:
kubectl get certificaterequests
Next steps
- 1.
self signed issuer type is not recommended to be used in production ↩