An application to demonstrate how to automate the creation/renovation of TLS using the certificates.k8s.io
API.
This example tries to automate the process described on this document.
- kubernetes v1.12.X+
- minikube
- Creates
CertificateSignRequests
objects on Kubernetes API and blocks until its approval - Runs a webserver using the approved certificate
- Renew certificates calculating the certificate validity of
notBefore
andnotAfter
- Restart the web server using the new certificates when they are approved
Start minikube changing the with the following parameters:
minikube start --vm-driver=<yourdriver> --extra-config=controller-manager.experimental-cluster-signing-duration=6m
# if your vm clock is not synchonized properly
# https://github.com/kubernetes/minikube/issues/1378
minikube ssh -- docker run -i --rm --privileged --pid=host debian nsenter -t 1 -m -u -n -i date -u $(date -u +%m%d%H%M%Y.%S)
--experimental-cluster-signing-duration=6m
is used to test the renovation of certificates
dep ensure -v
# On first terminal start the server / cert manager
# [optional]
export KUBECONFIG=/path/to/kube/config
make server
# On an second terminal
make connect
# Wait for a pending CSR
kubectl get csr -l app=auto-tls -w
# Approve it!
kubectl certificate approve <csr>