New in Red Hat OpenShift 4.10, we are adding the Technology Preview of the cert-manager operator. cert-manager is a fully open source project that was accepted by Cloud Native Computing Foundation (CNCF) on November 10, 2020. cert-manager adds certificates and certificate issuers as resource types to Kubernetes clusters, and simplifies the process of obtaining, renewing, and using those certificates. It issues certificates from a variety of supported sources, including Let’s Encrypt, HashiCorp Vault, and Venafi as well as private PKI. It ensures certificates are valid and up to date, and attempts to renew certificates at a configured time before expiry. It is loosely based on kube-lego and kube-cert-manager.

Introduction

cert-manager is a powerful, general-purpose certificate management controller for Kubernetes. cert-manager automates certificate management in cloud native environments and builds on top of Kubernetes and OpenShift to provide X.509 certificates and issuers as first-class resource types, thereby providing 'certificates as a service' securely to developers and applications working within your cluster. Since it first became available as an open source project, cert-manager has become hugely successful by enabling cloud native platform teams to easily automate TLS certificates for Kubernetes and OpenShift workloads. It obtains certificates from a variety of Issuers – both popular public Issuers as well as private Issuers.

cert-manager use cases in Tech Preview

cert-manager can be used to address a variety of use cases, specifically, cluster administrators benefit from an easy and intuitive way of installing the operator through the Red Hat Operator Marketplace available in the cluster. cert-manager provides a centralized API and consistent interface. This means a cluster administrator can easily swap out an issuer to use a different certificate provider. This operation only requires a change to the Issuer configuration and issuer that the application is configured to use - the rest is all handled by cert-manager.

Service developers focused on delivering their business objectives will also appreciate the easy way to request key signing materials or certificates for the Route and Ingress objects. Please note that the tech preview release only supports Ingress objects.  

Installing with cert-manager operator on OpenShift Container Platform

To install the cert-manager Operator for Red Hat OpenShift, navigate to the Operators -> OperatorHub in your OpenShift 4.10 (and above) cluster. Then, use the search box to find the correct operator:

Next, install the operator:

Once the installation process is complete, you can view the operator by navigating to Operators -> Installed Operators:

Configuring Issuers

cert-manager provides support for many different issuers. The “selfSigned” is one of the simplest, and we recommend using it for experimentation. Start by creating a cert.yaml file with the following content:

https://gist.github.com/slaskawi/744e8244f39cfae91827f7b8dd6367e0

Once created, apply it:

$ oc apply -f cert.yaml

After a minute or two, the certificate will be ready. Inspect the certificate using:


$ oc get secret root-secret -n sandbox -o yaml

https://gist.github.com/slaskawi/c1596ef8b7530c65b6be6ea8e7bcc140

Contact us

You can learn more about cert-manager from the open source documentation and keep tabs on the OpenShift productization process in our git repository. We would love to hear from you. Send us feedback of this new OpenShift operator by raising an issue in our git repo: https://github.com/openshift/cert-manager-operator .