NS1 + Kubernetes Cert Manager Integration

Cert-manager is a native Kubernetes certificate management controller. It is an add-on used to automate the management and distribution of TLS certificates from various issuing sources. Based on periodic status checks, it ensures certificates are valid and automates the renewal of certificates before they expire. Cert-manager supports requesting certificates from certificate issuers that support using the ACME protocol. These certificates are typically trusted on the public Internet by most computers. To successfully request a certificate, cert-manager must solve ACME Challenges which are completed in order to prove that the client owns the DNS addresses being requested.

The integration allows you to easily apply and manage SSL/TLS certificates to any domain or subdomain in the NS1 platform. Certificates are important for identity verification, data encryption, and to ensure a secure connection for your end users.

How it works

During implementation, you will expose your application via ingress and use the cert-manager tool to specify the certificate authority (CA) you want to use. The cert-manager webhook connects to NS1 to allow for DNS validation. During validation, a TXT record is created in the NS1 platform which is queried by the CA to verify that NS1 is authoritative for the domain. Once validated, the CA issues a certificate to the domain which is then managed via cert-manager.

Resources

The terms and definitions below are based on those found here.

• Cert-manager
  A series of deployment resources running within your Kubernetes cluster that configures the Certificate Authority and requests certificates.

• Webhook component 
  A Kubernetes resource deployed alongside the cert-manager controller used to validate that Issuer, clusterissuer, and Certificate resources are valid. The webhook solver for NS1 is used with cert-manager to solve ACME DNS01 challenges.

• Helm chart
  Helm charts are native Kubernetes and describe a set of Kubernetes resources through a collection of files. In the NS1 webhook for cert-manager Helm is used to install cert-manager.

• Clusterissuer
  Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests.

• Application/Ingress
  Kubernetes manifest files need to describe your app and include an ingress, deployment, and a service. Note that you need a DNS record configured to point traffic to the ingress.

• External DNS
  Deployed and configured in the cluster so that Kubernetes resources are discoverable via public DNS.

Implementing the integration

For instructions on how to install and configure the integration, please refer to the README.md document published on the NS1 GitHub repository.

Prerequisites:

• You must install Helm—the package manager for Kubernetes—in order to install the charts. Helm charts are a collection of files that describe a set of Kubernetes resources.
• You must install the Kubernetes certmanager plug-in (Instructions found here.)

Summary of implementation process:

1. Create manifests of the resources (above).
2. Launch cert-manager via helm.
3. Create a clusterissuer resource.
4. Launch your app with the ingress. Ensure the domain for your app has a DNS record that is tied to the external IP of your ingress.
5. Create a certificate resource. DNS validation will take place to prove you control the domain and a TXT record with specific values will get created under that domain. The Certificate Authority will proceed to query the DNS system for that record and issue a certificate if there’s a match.