Follow the steps in this topic to setup cluster issuer for Cert Manager using Venafi
TPP. For more information, refer to the steps given here: https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer
When you start a Cloudera Data Services on premises service installation, make sure
that you have installed a cluster issuer to use third-party certificates. To validate if
there is a valid cluster issuer, see the following rules:
-
We can create a clusterissuer without annotation. It is not
activated until we add the below annotation:
kubectl annotate clusterissuer <ISSUER_NAME>
issuer.cdp.cloudera.com/type=longlived/shortlived
- The cluster issuer must have the following annotation to be activated, along
with the label set as
follows:
kubectl label clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/project=<CDP_NAMESPACE>
In
ECS the
CDP_NAMESPACE is
"
cdp". Once this is setup, you can test this by
creating a test certificate and checking in their Venafi TPP instance that
the certificate is created. A sample certificate will look
like:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-cert
namespace: default
spec:
secretName: test-venafi-tls # This will store the certificate
issuerRef:
name: tpp-issuer
kind: ClusterIssuer
commonName: test.cdp.svc.cluster.local
dnsNames:
- test.cdp.svc.cluster.local
privateKey:
algorithm: RSA
size: 2048
An example setup is as follows:
-
Make sure the cert-manager is installed and all pods are up and running in the
cert-manager namespace.
-
Create a secret in cert-manager namespace with the credentials to communicate
with Venafi TPP instance.
Refer to the below example:
Put the following contents in a file called tpp-secret.yaml
apiVersion: v1
data:
password: Q2xvdWRlcmFAMTIz
username: bG9jYWw6YWRtaW4=
kind: Secret
metadata:
name: tpp-secret
namespace: cert-manager
type: Opaque
kubectl apply -f tpp-secret.yaml
or
kubectl create secret generic tpp-secret \
--from-literal=username='local:admin' \
--from-literal=password='Cloudera@123' \
-n cert-manager
-
Create a secret in the cert-manager namespace with below command if Venafi is
configured with custom CA (Microsoft ADCS).
Refer to the below example:
kubectl create secret generic qe-tpp-ca --from-file=ca.crt -n cert-manager
ca.crt file contents
-----BEGIN CERTIFICATE-----
MIIDkjCCAnqgAwIBAgIQMMMF/SbNzEuvDt9MJUkn/DANBgkqhkiG9w0BAQsFADBM
MScwJQYDVQQLEx5WZW5hZmkgT3BlcmF0aW9uYWwgQ2VydGlmaWNhdGUxITAfBgNV
BAMTGGFkMi5xZS1hZC0xLmNsb3VkZXJhLmNvbTAeFw0yNTA0MDMxMTI5NTRaFw0y
NjA0MDMxMTI5NTRaMEwxJzAlBgNVBAsTHlZlbmFmaSBPcGVyYXRpb25hbCBDZXJ0
aWZpY2F0ZTEhMB8GA1UEAxMYYWQyLnFlLWFkLTEuY2xvdWRlcmEuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3xj5x0OH1061qOPYCb0pbWnivfUo
C8JoktjWlGPK3LOFamKj46qWY7dF4AQHqQAypwLQTLwT7RsSUgZTZbkUGOQKN4CC
kLsxYa5WaHrKuypoxb5WxC31JrJDGUGcUapPcvXLVYKpqBOZLkH5JnJQN1U5KYuX
SBsgEDpU6v0ab51aB+KSdWZ9yyPnMXeJNfYbmQAO8yz7pHtDYZNXDoDoWAjOrUDg
6MUBeOkGsas5zB3Z0pXohT3BU5LQVRlEDsdM3gx5KG/KeaPALHhr74BSkZ7ogHxp
w8qDFFookoFQhwxu3H2hGImh9LJgnV+pMZ9MLBdw/dJxwlNY/LNuVagW8QIDAQAB
o3AwbjAdBgNVHQ4EFgQUI9UXcQZvJLFmkkRJV048s6ZeTSQwCQYDVR0TBAIwADAj
BgNVHREEHDAaghhhZDIucWUtYWQtMS5jbG91ZGVyYS5jb20wHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA5hBjSlwF++pnG
T90XIZfe47+MaWRFG9KoT5nDhv+VA0355s13gWhAGDeZYPdtc9RLcKeTZQLWxF5k
09Rv0NkKxF+FkznaIUyabUOacAaRLUjSnB7sIaOGATvP2MRNo7NTZ4seMuMevCx+
Dx1jKwEBdwGZTiCkZPkYI473JapkHvPM/Zs4DGro9Pcapnf4e1z2s1IPgFZPmCWr
Z0yeQQ99uU24Ge+n2Fqy4TtcOW/OI+VEWS7uMZj2rAc9xanVxt54hdW+6SJgamf+
Cniw8vU8QriaAallq89uVFYXpfwxnoCA5I3qKh0KFpfxHuB+KjFFfqoY9pIyt/7Q
WANrC2+c
-----END CERTIFICATE-----
-
Create clusterissuer resource to be used with cert manager using below
commands.
Refer to the below example:
-
Longlived cluster issuer - 365 days validity
Put the following contents in a file called longlived-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
issuer.cdp.cloudera.com/type: longlived
labels:
issuer.cdp.cloudera.com/project: cdp
name: tpp-issuer
spec:
venafi:
tpp:
url: https://ad2.qe-ad-1.cloudera.com:8443
credentialsRef:
name: tpp-secret
caBundleSecretRef:
name: qe-tpp-ca
key: ca.crt
zone: \VED\Policy\Cloudera\Longlived
Run the following command to create the ClusterIssuer resource
kubectl apply -f longlived-issuer.yaml
The ClusterIssuer should be configured successfully, i.e.
READY column should have the value True.
kubectl get clusterissuer tpp-issuer
NAME READY AGE
tpp-issuer True 26h
-
Shortlived cluster issuer - 24 hours validity. Refer to the below
example:
Put the following contents in a file called shortlived-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
issuer.cdp.cloudera.com/type: shortlived
labels:
issuer.cdp.cloudera.com/project: cdp
name: tpp-issuer-short
spec:
venafi:
tpp:
url: https://ad2.qe-ad-1.cloudera.com:8443
credentialsRef:
name: tpp-secret
caBundleSecretRef:
name: qe-tpp-ca
key: ca.crt
zone: \VED\Policy\Cloudera\Shortlived
Run the following command to create the ClusterIssuer resource
kubectl apply -f shortlived-issuer.yaml
The Cluster Issuer should be configured successfully. That
is, READY column should have the value
True.
kubectl get clusterissuer tpp-issuer-short
NAME READY AGE
tpp-issuer-short True 26h
Once the test is successfully verified, it can be deleted by running
the following
command:
kubectl delete certificate test-cert
