/cert-operator

cert-operator creates and manages certificates for Kubernetes clusters running on Giant Swarm

Primary LanguageGoApache License 2.0Apache-2.0

CircleCI

cert-operator

Cert Operator creates, configures, and manages certificates for Kubernetes clusters running on the Giant Swarm platform.

Most of the functionality currently provided by this project is now supported natively by Kubernetes' Cluster API (CAPI). As we move more platform functionality to use CAPI workflows, this project will eventually be deprecated.

About

cert-operator is responsible for provisioning certificates used by components of the Giant Swarm platform. It reconciles CertConfig Custom Resources (CRs) and configures Hashicorp vault accordingly. For a given CertConfig, cert-operator ensures:

  • vault is accessible
  • the necessary vault PKI backend has been created
  • a root CA for the associated workload cluster has been created using the PKI backend

Secrets are then created in the management cluster containing the certificates, signed by the root CA, used for establishing connections with and within the workload cluster. Currently, cert-operator handles creation of kubeconfigs for workload cluster access for the following components:

  • the Giant Swarm API
  • app-operator
  • aws/azure/kvm-operator
  • calico
  • etcd
  • node-operator
  • Prometheus

Compatibility

provider cert-operator cluster-operator
AWS < 1.0.0* < 3.6.1
AWS >= 1.0.1 >= 3.6.1
all others >= 1.0.1 >= 0.24.1
all others < 1.0.1 < 0.24.0*

* cert-operator v1.0.0 and cluster-operator v0.24.0 have known issues. Use v1.0.1 or v0.24.1 instead.

Prior to version 1.0.0, cert-operator reconciled based on the spec.versionBundle.version field of the CertConfig CR.

In version 1.0.0 and later, the CR field is ignored, and the operator reconciles CertConfigs which have the cert-operator.giantswarm.io/version label set to the operator's version.

In a typical pre-CAPI Giant Swarm release, cluster-operator creates the CertConfigs necessary for each cluster. cluster-operator prior to version 3.6.1 (AWS) and 0.24.0 (Azure and KVM) did not set the appropriate label and still used the older hardcoded versionBundle. The two methods are not compatible.

Prerequisites

Getting Project

Download the latest release: https://github.com/giantswarm/cert-operator/releases/latest

Clone the git repository: https://github.com/giantswarm/cert-operator.git

Download the latest docker image from here: https://quay.io/repository/giantswarm/cert-operator

How to build

Dependencies

Building the standard way

go build github.com/giantswarm/cert-operator

Running cert-operator

See this guide.

Contact

Contributing & Reporting Bugs

See CONTRIBUTING for details on submitting patches, the contribution workflow as well as reporting bugs.

License

cert-operator is under the Apache 2.0 license. See the LICENSE file for details.

Credit

Secrets

The cert-operator is deployed via Kubernetes.

Here the plain Vault token has to be inserted.

service:
  vault:
    config:
      token: 'TODO'

Here the base64 representation of the data structure above has to be inserted.

apiVersion: v1
kind: Secret
metadata:
  name: cert-operator-secret
  namespace: giantswarm
type: Opaque
data:
  secret.yaml: 'TODO'

To create the secret manually do this.

kubectl create -f ./path/to/secret.yaml