Skip to content

Setting up NKS PKI (Own Certificate via Cert-Manager in a Kubernetes cluster)

nks-pki

Let's have kubernetes cluster

curl https://raw.githubusercontent.com/naren4b/dotfiles/main/ws/install.sh | bash

Ingress controller

# Above Step does installs by default 
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl label nodes controlplane ingress-ready="true"
kubectl wait --for=condition=ready pod -n ingress-nginx -l app.kubernetes.io/component=controller

Install cert-manager

helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.crds.yaml
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.1
kubectl get pod -n cert-manager
image

Create your Root CA

CA_NAME="NKS Certificate Authority"
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${CA_NAME}" -days 10000 -out ca.crt

kubectl create secret tls nks-pki-tls --cert=ca.crt --key=ca.key -n cert-manager

Install ClusterIssuer

cat<<EOF > nks-pki-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: nks-pki-issuer
spec:
  ca:
    secretName: nks-pki-tls
EOF

kubectl apply -f nks-pki-issuer.yaml
image

Install Application and Certificates

kubectl create deployment echoserver --image k8s.gcr.io/echoserver:1.10
kubectl expose deployment echoserver --port=8080
kubectl create ingress echoserver   --class=nginx   --rule="echoserver.127.0.0.1.nip.io/*=echoserver:8080,tls=echoserver-ingress-tls"

cat<<EOF > echoserver-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name:  echoserver-certificate
spec:
  isCA: false
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  commonName: echoserver.127.0.0.1.nip.io
  dnsNames:
  - echoserver.127.0.0.1.nip.io
  - www.echoserver.127.0.0.1.nip.io
  secretName: echoserver-ingress-tls
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  issuerRef:
    name: nks-pki-issuer
    kind: ClusterIssuer
    group: cert-manager.io
EOF
kubectl apply -f echoserver-certificate.yaml
image

Test the certificate

sudo openssl s_client -connect echoserver.127.0.0.1.nip.io:443 -showcerts </dev/null
image

  • Demo Environment: https://killercoda.com/playgrounds/scenario/kubernetes