Skip to content
/ cert-completer Public

A Kubernetes operator that ensures that all TLS secrets have a valid ca.crt

License

Apache-2.0 license
18 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

erwinvaneyk/cert-completer

BranchesTags

Repository files navigation

Cert Completer

Cert Completer is a small Kubernetes operator that ensures that all TLS secrets have a valid ca.crt.

It addresses a specific issue with the (Let's Encrypt) ACME provider in cert-manager, where certificates are lacking a CA in the ca.crt key of the generated secret. Although issues have been raised to fill the ca.crt (see #2111 and #1571), it is not clear if and when these issues will be resolved. Cert Completer is an attempt to patch this issue immediately regardless of the cert-manager version.

To provide each TLS secret with a ca.crt, the operator parses the certificate chain in tls.crt. It uses the last (top-most) certificate in this chain for ca.crt. Although this does not guarantee that ca.crt contains a root CA, it does guarantee that the CA present is valid for the TLS secret.

Installation

Using pre-built resources:

kubectl apply -f https://raw.githubusercontent.com/erwinvaneyk/cert-completer/master/cert-completer.yaml

Using Kustomize (requires kubectl > 1.15):

kubectl apply -k github.com/erwinvaneyk/cert-completer//config/default

Clone and modify ./config/default/kustomization.yaml for alternative, custom deployments.

About

A Kubernetes operator that ensures that all TLS secrets have a valid ca.crt

Resources

Readme

License

Apache-2.0 license
Activity

Stars

18 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases 1

v0.1 Latest
Dec 23, 2019

Packages

No packages published

Contributors 2

  •  
  •  

Languages