Join us

OpenDistro with cert-manager

Last time we talked about installing OpenDistro on Kubernetes using self-signed certificates, this can be a repetitive and boring task to do each time. Instead we can delegate the creation of certificates to a tool like cert-manager.

If you didn’t read the first part of this article you can find it here

cert-manager

cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.

Deploying cert-manager

cert-manager is really simple to deploy, we’ll be using helm, to do so follow the next steps:

It is as simple as that to install cert-manager on you’re cluster, next step is to configure the Issuer.

Issuers

An Issuer is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are :

  • SelfSigned: Certificates will be signed by using the same private-key attached to the signed certificate.
  • CA: Certificates are signed using an already imported certificate authority
  • Vault: This will delegate the signing of certificate to vault, which can be configured a PKI.
  • ACME: ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets encrypt.

Issuer Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer, which is the same as Issuer but it can be used on a cluster level.

Configure Issuers

In our case we’ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro.

Certificates

Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets

To create certificates that can be used by OpenDistro we need to pass special configuration options:

Don’t worry we’ll explain some of the options that are not self explicit:

  • commonName: This needs to be the same as the value of node_dn in OpenDistro configuration.
  • encoding: by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a PKCS8.
  • secretName: the name of Kubernetes secret where the certificate and the private key will be stored.

OpenDistro configuration:

For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names.

Since the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the same.

As always you can find all the configuration files on my GitHub.

I hope that you found this article useful and see you next time.

Bey !!!


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!

User Popularity
7

Influence

775

Total Hits

1

Posts