...
- Legacy AAF CertMan which uses SCEP protocol or own internal Certificate Authority - mostly used by AT&T and integrated with several ONAP components
- New CertService which uses CMPv2 to enroll certificates - integrated with ONAP bordering components to protect external traffic
- K8s Cert-Manager which is OOM way forward to enroll certificates for ONAP components and de-facto industry standard for K8s based clouds
It is time to unify them and use forward just one of them.
...
Underneath, out of Certificate CRD, Cert-Manager creates CertificateRequest CRD which is more suitable for M2M processing as it contains Certificate Singing Signing Request (CSR). CertificateRequest CRD is further on consumed by Issuer which processes CSR stored there and in return puts signed certificate and trusted certs in CertificateRequest's status and marks CertificateReqeust CertificateRequest as Ready. Cert-Manager notices such state change and from CertificateRequest marked as Ready creates K8s secret originally requested in Certificate CRD. Such K8s secret is ready to be mounted to K8s workload as any other secret.
...
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
| Gliffy Diagram | ||||
|---|---|---|---|---|
|
As a consequence, all existing usages should be adjusted to use new way and create Certificate CRD instead of calling CertService client as init container.
...
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Limitations
After detailed check found out that K8s Cert-Manager doesn't correctly handle issuer's response which contains multiple trusted certificates, aka root CAs. For that following community bugs were reported:
Future
CertService API enhancements
...