Versions Compared

Old Version 20

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 21

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

K8s Cert-Manager is an industry standard to issue X.509 certificates to K8s workloads. It provides simple, reliable, elastic and efficient way to issue certificates within K8s environment. Simple cause it relies on K8s custom resource definition (CRD) mechanism, reliable cause without secret created by Cert-Manager K8s workload won't start, elastic cause it can provide certificates from many sources, including external providers issuers and efficient - cause it may deliver hundreds of certificates per day.

...

CertService was implemented some time back. It provides basic certificate enrollment functionality using CMPv2 over HTTP. Cause in ONAP we have a lot of components which issue certificates, it is wise to harmonize them and use forward just one of them. As a way forward, CertService should be a backend proxy service for K8s Cert-Manager. The same functionality which is currently implemented in CertService client should be implemented in Cert-Manager's external providerissuer, except parts which are already implemented in Cert-Manager and are generic for all providers (e.g. input parameters validation, conversion to different format, etc). If possible the same input parameters which nowadays are used by CertService client should also be used by Certificate CRD. Following diagram presents new setup.

...

In fact, Cert-Manager's external provider issuer is a K8s operator which reconciles two CRDs:

  • Cert-Manager's CertificateRequest CRD
  • New Issuer CRD

External provider issuer notices that CertificateRequest CRD with a reference to New Issuer CRD was created and processes CSR stored there and in result puts signed certificate and trusted certs and marks CertificateRequest as Ready. Simple as that.When component uses CertService client as init container

Usages

Helm templates

In helm templates the way forward is simple.

...

Certificate CRD must be added and K8s workload must be enhanced to mount secret

...

created out of Certificate CRD.

DCAE blueprints

The same in DCAE is more complicated cause K8s Cloudify plugin code must be extended to create Certificate CRD instead of adding init container.



Future

CertService API enhancements

...