Setting up Cert Manager using Venafi TPP

Follow the steps in this topic to setup cluster issuer for Cert Manager using Venafi TPP. For more information, refer to the steps given here: https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer

When you start a Cloudera Data Services on premises service installation, make sure that you have installed a cluster issuer to use third-party certificates. To validate if there is a valid cluster issuer, see the following rules:
  • We can create a clusterissuer without annotation. It is not activated until we add the below annotation:

    kubectl annotate clusterissuer <ISSUER_NAME> 
    issuer.cdp.cloudera.com/type=longlived/shortlived
  • The cluster issuer must have the following annotation to be activated, along with the label set as follows:
    kubectl label clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/project=<CDP_NAMESPACE>
    In ECS the CDP_NAMESPACE is "cdp". Once this is setup, you can test this by creating a test certificate and checking in their Venafi TPP instance that the certificate is created. A sample certificate will look like:
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata: 
        name: test-cert 
        namespace: default
    spec: 
        secretName: test-venafi-tls # This will store the certificate 
    issuerRef: 
        name: tpp-issuer 
        kind: ClusterIssuer 
        commonName: test.cdp.svc.cluster.local 
    dnsNames: 
        - test.cdp.svc.cluster.local 
    privateKey: 
        algorithm: RSA 
        size: 2048
An example setup is as follows:
  1. Make sure the cert-manager is installed and all pods are up and running in the cert-manager namespace.
  2. Create a secret in cert-manager namespace with the credentials to communicate with Venafi TPP instance.

    Refer to the below example:

    Put the following contents in a file called tpp-secret.yaml
    
    apiVersion: v1
    data:
      password: <password>
      username: <username>
    kind: Secret
    metadata:
      name: tpp-secret
      namespace: cert-manager
    type: Opaque
    
    kubectl apply -f tpp-secret.yaml
    
    or
    
    kubectl create secret generic tpp-secret \
      --from-literal=username='<username>' \
      --from-literal=password='<password>' \
      -n cert-manager
  3. Create a secret in the cert-manager namespace with below command if Venafi is configured with custom CA:
    kubectl create secret generic qe-tpp-ca --from-file=ca.crt -n cert-manager
    
    
    X509v3 Basic Constraints:
     CA:TRUE
  4. Create clusterissuer resource to be used with cert manager using below commands.

    Refer to the below example:

    1. Longlived cluster issuer - 365 days validity
      Put the following contents in a file called longlived-issuer.yaml
      
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        annotations:
          issuer.cdp.cloudera.com/type: longlived
        labels:
          issuer.cdp.cloudera.com/project: cdp
        name: tpp-issuer
      spec:
        venafi:
          tpp:
            url: https://<venafi.at.yourorg.com>:<port>
          credentialsRef:
              name: tpp-secret
            caBundleSecretRef:
              name: qe-tpp-ca
              key: ca.crt
          zone: \VED\Policy\Cloudera\Longlived
      
      Run the following command to create the ClusterIssuer resource
      kubectl apply -f longlived-issuer.yaml

      The ClusterIssuer should be configured successfully, i.e. READY column should have the value True.

      
      kubectl get clusterissuer tpp-issuer
      NAME                READY   AGE
      tpp-issuer          True    26h
      
    2. Shortlived cluster issuer - 24 hours validity. Refer to the below example:
      Put the following contents in a file called shortlived-issuer.yaml
      
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        annotations:
          issuer.cdp.cloudera.com/type: shortlived
        labels:
          issuer.cdp.cloudera.com/project: cdp
        name: tpp-issuer-short
      spec:
        venafi:
          tpp:
            url: https://<venafi.at.yourorg.com>:<port>
            credentialsRef:
              name: tpp-secret
            caBundleSecretRef:
              name: qe-tpp-ca
              key: ca.crt
          zone: \VED\Policy\Cloudera\Shortlived
      
      Run the following command to create the ClusterIssuer resource
      kubectl apply -f shortlived-issuer.yaml

      The Cluster Issuer should be configured successfully. That is, READY column should have the value True.

      kubectl get clusterissuer tpp-issuer-short
      NAME                READY   AGE
      tpp-issuer-short          True    26h
      Once the test is successfully verified, it can be deleted by running the following command:
      kubectl delete certificate test-cert