Join us

OpenDistro with cert-manager

Last time we talked about installing OpenDistro on Kubernetes using self-signed certificates, this can be a repetitive and boring task to do each time. Instead we can delegate the creation of certificates to a tool like cert-manager.

If you didn’t read the first part of this article you can find it here


cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.

Deploying cert-manager

cert-manager is really simple to deploy, we’ll be using helm, to do so follow the next steps:

                helm repo add jetstack
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.4.0 \
  --set installCRDs=true

It is as simple as that to install cert-manager on you’re cluster, next step is to configure the Issuer.


An Issuer is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are :

  • SelfSigned: Certificates will be signed by using the same private-key attached to the signed certificate.
  • CA: Certificates are signed using an already imported certificate authority
  • Vault: This will delegate the signing of certificate to vault, which can be configured a PKI.
  • ACME: ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets encrypt.

Issuer Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer, which is the same as Issuer but it can be used on a cluster level.

Configure Issuers

In our case we’ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro.

kind: Issuer                       
  name: selfsigned-issuer                         
  namespace: opendistro                      
  selfSigned: {}


Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets

To create certificates that can be used by OpenDistro we need to pass special configuration options:

kind: Certificate                       
  name: es-transport-tls                         
  namespace: opendistro                       
  isCA: true                         
  duration: 2160h # 90d 2160h                         
  renewBefore: 168h # 7d 168h                         
  commonName: es-client                         
  - es-client                         
    algorithm: RSA                           
    encoding: PKCS8                           
    size: 4096                         
    kind: Issuer                           
    name: selfsigned-issuer                         
  secretName: es-transport-tls

Don’t worry we’ll explain some of the options that are not self explicit:

  • commonName: This needs to be the same as the value of node_dn in OpenDistro configuration.
  • encoding: by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a PKCS8.
  • secretName: the name of Kubernetes secret where the certificate and the private key will be stored.

OpenDistro configuration:

For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names.

    existingCertSecret: es-transport-tls
    existingCertSecretCertSubPath: tls.crt
    existingCertSecretKeySubPath: tls.key
    existingCertSecretRootCASubPath: ca.crt

Since the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the same.

                helm upgrade --install \
     -n opendistro  <release_name>  -f values.yaml \

As always you can find all the configuration files on my GitHub.

I hope that you found this article useful and see you next time.

Bey !!!

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!

User Popularity



Total Hits