0

Is it possible to use cert-manager to generate a certificate for a workload only in a cluster with ACME server in one of the namespaces? As far I understood cert-manager tries to reach dns name via egressing the cluster and ingressing the cluster to make a http chalange, but what if I do not want to leave the cluster? I do not want cert-manager to create Ingress resource. Let the whole challenge takes place inside the cluster.

My case:

  • I've got ACME server (step-ca) inside one of my namespaces
  • I need to create certificate for my POD in another namespace, e.g. common name "${app}.${namespace}"

Remarks: In my case the problem is more complicated due to istio on board. For ingress traffic cert-manager works fine with internal ACME server but for egress traffic I need to go over stunnel (in each POD) to reach Squid outside and I need those certs for stunnel.

Maciek Leks
  • 1,288
  • 11
  • 21

1 Answers1

0

The only way I came up with:

Each app has it's own Issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: k8s-acme-local
  namespace: ${APP_NS}
spec:
  acme:
    email: some@email
    privateKeySecretRef:
      name: k8s-acme-local
    server: https://${ACME_SVC}.${ACME_NS}/acme/acme/directory
    solvers:
    - http01:
        ingress: 
          podTemplate:
            metadata:
              labels:
                app: ${APP}
          ingressTemplate: {}
          serviceType: ClusterIP

Before creating Certificate resource I create Service to take over the traffic to ${APP}.{APP_NS}

apiVersion: v1
kind: Service
metadata:
  name: ${APP}
  namespace: ${APP_NS}
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8089
  selector:
    app: ${APP}
  sessionAffinity: None
  type: ClusterIP

And then the Certificate resource:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ${APP}
  namespace: ${APP_NS}
spec:
  secretName: ${APP}
  issuerRef:
    name: k8s-acme-local
    kind: Issuer
    group: cert-manager.io
  commonName: ${APP}.${APP_NS}
  dnsNames: 
  - ${APP}.${APP_NS}

Now Acme server will do the chalange over my Service not by Ingress (and cer-manager service) which stays unused. I don't like it but it works. This method has one critical drawback. Everyone in the cluster can do it and impersonate any existing or not existing app. I'm looking forward your opinions and tips.

Maciek Leks
  • 1,288
  • 11
  • 21