Follow the steps in this topic to setup cluster issuer for Cert Manager using Venafi
TPP. For more information, refer to the steps given here: https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer
When you start a Cloudera Data Services on premises service installation, make sure
that you have installed a cluster issuer to use third-party certificates. To validate if
there is a valid cluster issuer, see the following rules:
-
We can create a clusterissuer without annotation. It is not
activated until we add the below annotation:
kubectl annotate clusterissuer <ISSUER_NAME>
issuer.cdp.cloudera.com/type=longlived/shortlived
- The cluster issuer must have the following annotation to be activated, along
with the label set as
follows:
kubectl label clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/project=<CDP_NAMESPACE>
In
ECS the
CDP_NAMESPACE is
"
cdp". Once this is setup, you can test this by
creating a test certificate and checking in their Venafi TPP instance that
the certificate is created. A sample certificate will look
like:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-cert
namespace: default
spec:
secretName: test-venafi-tls # This will store the certificate
issuerRef:
name: tpp-issuer
kind: ClusterIssuer
commonName: test.cdp.svc.cluster.local
dnsNames:
- test.cdp.svc.cluster.local
privateKey:
algorithm: RSA
size: 2048
An example setup is as follows:
-
Make sure the cert-manager is installed and all pods are up and running in the
cert-manager namespace.
-
Create a secret in cert-manager namespace with the credentials to communicate
with Venafi TPP instance.
Refer to the below example:
Put the following contents in a file called tpp-secret.yaml
apiVersion: v1
data:
password: <password>
username: <username>
kind: Secret
metadata:
name: tpp-secret
namespace: cert-manager
type: Opaque
kubectl apply -f tpp-secret.yaml
or
kubectl create secret generic tpp-secret \
--from-literal=username='<username>' \
--from-literal=password='<password>' \
-n cert-manager
-
Create a secret in the cert-manager namespace with below command if Venafi is
configured with custom CA:
kubectl create secret generic qe-tpp-ca --from-file=ca.crt -n cert-manager
X509v3 Basic Constraints:
CA:TRUE
-
Create clusterissuer resource to be used with cert manager using below
commands.
Refer to the below example:
-
Longlived cluster issuer - 365 days validity
Put the following contents in a file called longlived-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
issuer.cdp.cloudera.com/type: longlived
labels:
issuer.cdp.cloudera.com/project: cdp
name: tpp-issuer
spec:
venafi:
tpp:
url: https://<venafi.at.yourorg.com>:<port>
credentialsRef:
name: tpp-secret
caBundleSecretRef:
name: qe-tpp-ca
key: ca.crt
zone: \VED\Policy\Cloudera\Longlived
Run the following command to create the ClusterIssuer resource
kubectl apply -f longlived-issuer.yaml
The ClusterIssuer should be configured successfully, i.e.
READY column should have the value True.
kubectl get clusterissuer tpp-issuer
NAME READY AGE
tpp-issuer True 26h
-
Shortlived cluster issuer - 24 hours validity. Refer to the below
example:
Put the following contents in a file called shortlived-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
issuer.cdp.cloudera.com/type: shortlived
labels:
issuer.cdp.cloudera.com/project: cdp
name: tpp-issuer-short
spec:
venafi:
tpp:
url: https://<venafi.at.yourorg.com>:<port>
credentialsRef:
name: tpp-secret
caBundleSecretRef:
name: qe-tpp-ca
key: ca.crt
zone: \VED\Policy\Cloudera\Shortlived
Run the following command to create the ClusterIssuer resource
kubectl apply -f shortlived-issuer.yaml
The Cluster Issuer should be configured successfully. That
is, READY column should have the value
True.
kubectl get clusterissuer tpp-issuer-short
NAME READY AGE
tpp-issuer-short True 26h
Once the test is successfully verified, it can be deleted by running
the following
command:
kubectl delete certificate test-cert
