Member-only story
Certificate Management for On-premises Cloud-Native Apps
HTTPS/TLS certificate for On-premises applications is traditionally centrally managed. To get a certificate for your app in an enterprise environment, you will need to create a certificate signing request, submit it to a certificate authority to sign, and get your certificate back. It’s usually tedious and time-consuming. Don’t forget the cert need to be renewed when it's nearly expiring, the same process needs to be repeated again.
When a micro-service architecture is adopted, this approach simply cannot cope with managing all the certificate request and their renewing process. This paper explores how the cert-manager can be used for the on-premises kubernetes applications to manage their certificate lifecycles.
Certificate managed by Cert-manager
The following diagram shows how we use cert-manager to manage the certificate.
Following the typical setup in an enterprise, we will have Root CA and intermediate CA. Create up a ClusterIssuer resource with the intermediate CA. Upon a certificate request comes, the cluster issuer resource will create and sign the certificate, and store it as a K8s secret. The certificate can then be mounted to the pods for the application to consume. The cert-manager watches the expiration of the cert and renews it before it expires.
Let's set this up. My test environment is OpenShift 4.10. The installation of the cert-manager is skipped as in my case the cert-manager is already brought in by other software. Anyway, the installation is simple and straightforward.
Root CA and Intermediate CA
First, use cfssl to create the Root CA and an Intermediate CA.
Prepare the following myca.json file,
{
"CN": "myca",
"hosts": [ "myca" ],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "SG",
"ST": "SG",
"L": "Singapore"
}
]
}Create the root CA,
cfssl gencert -initca myca.json | cfssljson -bare myca
