AboutPreview
Introduction
The TLS Protect for Kubernetes Operator aims to provide a unified way to install and manage cert-manager and other TLS Protect for Kubernetes components and resources, such as issuers, CSI drivers and policy resources.
Why would I use the operator?
-
Allows to configure, deploy and monitor the status of all TLSPK components via a single Kubernetes custom resource
-
Helps with cross-configuration and validation of the installation of a combination of TLSPK components
-
Helps with creating a best practices TLS Protect for Kubernetes installation
-
Makes it easier to start using JSS resources such a CertificateRequestPolicy by creating valid resources with defaulted values
How can I install TLSPK components via the operator?
TLS Protect for Kubernetes Operator can be configured to install TLSPK components by applying a singleton Installation custom resource to the cluster. Here is an example Installation resource that tells the operator to install cert-manager, approver-policy [1], venafi-oauth-helper [2], a Venafi TPP ClusterIssuer with a particular CertificateRequestPolicy attached to it and csi-driver-spiffe [3] configured with the created Venafi TPP issuer:
apiVersion: operator.jetstack.io/v1alpha1kind: Installationmetadata:name: csi-spiffe-with-tppspec:certManager:version: v1.0.0 # component versions are optional- latest is installed by defaultapproverPolicy: {}venafiOauthHelper: {}images:registry: my-custom-image-registryissuers:- clusterScope: truename: my-tpp-issuervenafi:tpp:credentialsRef:name: my-tpp-credsurl: http://my-tpp-server.orgzone: MyZone# A CertificateRequestPolicy will be created for my-tpp-issuer that will# ensure that only certs for *.my-org.com DNS names with a maximum# duration of 1 hour can be issued.policy:allowed:dnsNames:values:- "*.my-org.com"constraints:maxDuration: 1hsubjects:certManager: truestatus:conditions:- lastTransitionTime: "2022-09-09T12:53:20Z"message: cert-manager-approver-policy is ready (v0.4.0)observedGeneration: 1reason: approver-policy is readystatus: "True"type: ApproverPolicyReady- lastTransitionTime: "2022-09-09T12:53:29Z"message: All cert-manager resources are ready (v1.9.1)observedGeneration: 1reason: CertManagerReadystatus: "True"type: CertManagerReady...
Which TLSPK components and resources can be installed with the TLS Protect for Kubernetes Operator?
Required (each Installation has to include these components):
Optional:
- Issuer and ClusterIssuer resources
- CertificateRequestPolicy resources
- VenafiIssuer and VenafiClusterIssuer resources
- cert-manager/csi-driver-spiffe
- cert-manager/csi-driver
- cert-manager/istio-csr
- venafi-enhanced-issuer
- trust-manager
See TLS Protect for Kubernetes Operator installation to find out which component versions are supported.
What will change in my installation flow when migrating to the operator?
It is recommended that all TLS Protect for Kubernetes components, issuer resources and policies that can be managed by the operator (see the section above) are installed via the operator instead of deploying them standalone
Issuer resources (cert-manager.io Issuers and ClusterIssuers as well as jetstack.io VenafiIssuers and VenafiClusterIssuers) and CertificateRequestPolicys should also be specified via Installation spec instead of deploying them standalone.
Deploying issuers standalone would require creation of CertificateRequestPolicy and associated RBAC, as the operator disables the default cert-manager approver. Additionally, the operator expects to be able to cross-validate issuers configured to be used with istio-csr and csi-driver-spiffe, so these issuers must be configured via Installation spec.
Standalone CertificatePolicys might interfere with the CertificateRequestPolicys that the operator creates for issuers specified via Installation spec. See policy documentation for an example of how to specify an issuer and a custom policy via Installation spec.
Next steps
Learn how to configure the operator to install TLSPK components: