This repo is a companion to my KubeCon EU 2023 talk, 🎥 Rotate Roots Right Round: Using cert-manager for Safer Private PKI.
It provides example configuration and steps for setting up private PKI in Kubernetes using:
- cert-manager (of course!)
- approver-policy
- and trust-manager
Subfolders are numbered in order; follow them in numerical order.
Using this repo, along with the talk, you should be able to safely set up a private PKI that's free of cost, free of rate limits and which gives you complete control!
On your development machine, you'll need to have installed cmctl.
You'll also need a Kubernetes cluster running up-to-date versions of the following:
- cert-manager (with default approver disabled)
- approver-policy
- trust-manager
Note that trust-manager's Helm chart includes a Certificate which you'll need to approve manually.
Installation instructions are given below as a guide, using either kind or whatever cluster you have configured.
# if you already have a cluster, skip this step
kind create cluster --name ap
# install cert-manager with approver disabled
helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager --set extraArgs={--controllers='*\,-certificaterequests-approver'} --set installCRDs=true --create-namespace
# install approver-policy
helm upgrade -i -n cert-manager cert-manager-approver-policy jetstack/cert-manager-approver-policy --wait
# install trust-manager; this might appear to hang because it'll be waiting for the certificate to be issued.
# if it hangs, use the command below to approve the CertificateRequest!
helm upgrade -i -n cert-manager trust-manager jetstack/trust-manager --wait
# approve trust-manager CertificateRequest (this actually approves all certs in the cert-manager namespace; you might want to be more careful in prod)
kubectl get -n cert-manager cr -o go-template="{{range .items}}{{printf \"%s\n\" .metadata.name}}{{end}}" | xargs -I% cmctl approve -n cert-manager %