trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.
It orchestrates bundles of trusted X.509 certificates which are primarily used for validating certificates during a TLS handshake but can be used in other situations, too.
We encourage you to run it and test it and we truly believe it's useful! The caveat is that while we'll strive to avoid any breaking changes we reserve the right to break things if we must.
Please follow the documentation on cert-manager.io to install trust-manager.
There's also full API reference documentation available.
If you've got Docker installed and you just want to play with trust-manager as soon as possible, we provide
a demo command to get a Kind cluster set up with minimal fuss.
First, clone the repo then run make demo:
git clone --single-branch https://github.com/cert-manager/trust-manager trust-manager
cd trust-manager
make demo
# kubeconfig is in ./bin/kubeconfig.yaml
# kind cluster is called "trust"The demo installation uses Helm, and roughly matches what you'd get by installing trust-manager into your own cluster using Helm - although it uses locally-built images rather than the ones we publish publicly.
The simplest useful Bundle to start with is likely to be one using default CAs, which are available from trust-manager 0.4.0+.
This default CA package is based on Debian's ca-certificates package, and so matches what you'd expect to see in a Debian
container or VM.
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: trust-manager-bundle
spec:
sources:
- useDefaultCAs: true
target:
configMap:
key: "bundle.pem"This Bundle will lead to a ConfigMap called trust-manager-bundle containing the default CAs being created in all namespaces, ready to be mounted
and used by your applications.
Your ConfigMap will automatically be updated if you change your bundle, too - so to update it, simply update your Bundle!
For more details see the trust-manager documentation.