cfssl-issuer

command module

v0.3.3 Latest Latest Go to latest Published: Jan 6, 2023 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/OpenSource-THG/cfssl-issuer

Links

Open Source Insights

README ¶

CFSSL Issuer

Docker Pulls

CFSSL Issuer is a controller that extends Jetstack's cert-manager to add an issuer that uses a CFSSL server to sign certificate requests.

Installation

This controller requires a cert-manager version of > v0.11.0 and a running CFSSL server

Helm

TBD

Manually

git clone git@github.com:OpenSource-THG/cfssl-issuer.git
cd cfssl-issuer
kubectl apply -f deploy

Configuration

Once installed we need to configure either a CfsslIssuer or CfsslClusterIssuer resource.

Deployment

All CFSSL issuers share common configuraton for requesting certificates, namely the URL, Profile and CA Bundle

URL is the url of a CFSSL server
Profile is an optional field, denoting which profile cfssl should use when signing a Certificate
CA Bundle is a base64 encoded string of the Certificate Authority to trust the CFSSL connection. The controller will also asusme that this is the CA used when signing the Certificate Request

Below is an example of a namespaced and cluster scoped configuration

kind: CfsslIssuer
apiVersion: certmanager.thg.io/v1beta1
metadata:
  name: cfsslissuer-server
spec:
  url: https://cfsslapi.local
  caBundle: <base64-encoded-ca>

kind: CfsslClusterIssuer
apiVersion: certmanager.thg.io/v1beta1
metadata:
  name: cfsslissuer-server
spec:
  url: https://cfsslapi.local
  caBundle: <base64-encoded-ca>

The controller assumes that the cfssl api is secured via TLS using the provided CA Bundle and that the certs are signed by the same CA.

Certificates are then created via normal cert-manager flow referencing the issuer. As opposed to builtin issuers the group and kind must be explicitly defined.

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  commonName: example.com
  dnsNames:
    - example.com
    - www.example.com
  issuerRef:
    name: cfsslissuer-server
    group: certmanager.thg.io
    kind: CfsslIssuer

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1beta1 Package v1beta1 contains API Schema definitions for the certmanager v1beta1 API group +kubebuilder:object:generate=true +groupName=certmanager.thg.io	Package v1beta1 contains API Schema definitions for the certmanager v1beta1 API group +kubebuilder:object:generate=true +groupName=certmanager.thg.io
controllers
provisioners
mock

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL