Cert-manager is a cloud-native Kubernetes certificate management controller. It builds on top of Kubernetes and OpenShift to provide X.509 certificates and issuers as first-class resource types, automating the management and distribution of TLS certificates from various issuing sources.
Cert-manager conducts periodic status checks to ensure certificates are valid and renews certificates automatically before they expire. It supports requesting certificates from certificate issuers that support the Automated Certificate Management Environment (ACME) protocol. These certificates are typically trusted on the public Internet by most computers. To successfully request a certificate, cert-manager must solve ACME Challenges which are completed in order to prove that the client owns the DNS addresses being requested.
The integration allows you to easily apply and manage SSL/TLS certificates to any domain or subdomain in the NS1 platform. Certificates are important for identity verification, data encryption, and ensuring a secure connection for your end-users.
During implementation, you will expose your application via ingress and use the cert-manager tool to specify the certificate authority (CA) you want to use. The cert-manager webhook connects to NS1 to allow for DNS validation. During validation, a TXT record is created in the NS1 platform which is queried by the CA to verify that NS1 is authoritative for the domain. Once validated, the CA issues a certificate to the domain which is then managed via cert-manager.
The terms and definitions below are based on those found here.
-
Cert-manager
A series of deployment resources running within your Kubernetes cluster that configures the Certificate Authority and requests certificates.
-
Webhook component
A Kubernetes resource deployed alongside the cert-manager controller used to validate that Issuer, cluster issuer, and certificate resources are valid. The webhook solver for NS1 is used with cert-manager to solve ACME DNS01 challenges.
Helm chartHelm charts are native Kubernetes and describe a set of Kubernetes resources through a collection of files. In the NS1 webhook for cert-manager Helm is used to install cert-manager.
-
Clusterissuer
Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests.
-
Application/Ingress
Kubernetes manifest files need to describe your app and include an ingress, deployment, and a service. Note that you need a DNS record configured to point traffic to the ingress.
-
External DNS
Deployed and configured in the cluster so that Kubernetes resources are discoverable via public DNS.
For instructions on how to install and configure the integration, please refer to the README.md document published on the NS1 GitHub repository.
You must install Helm—the package manager for Kubernetes—in order to install the charts. Helm charts are a collection of files that describe a set of Kubernetes resources.
You must install the Kubernetes cert-manager plug-in (Instructions found here.)
Create manifests of the resources (above).
Launch cert-manager via helm.
Create a clusterissuer resource.
Launch your app with the ingress. Ensure the domain for your app has a DNS record that is tied to the external IP of your ingress.
Create a certificate resource. DNS validation will take place to prove you control the domain and a TXT record with specific values will get created under that domain. The Certificate Authority will proceed to query the DNS system for that record and issue a certificate if there’s a match.