Awesome
cert-operator
Cert Operator creates, configures, and manages certificates for Kubernetes clusters running on the Giant Swarm platform.
Most of the functionality currently provided by this project is now supported natively by Kubernetes' Cluster API (CAPI). As we move more platform functionality to use CAPI workflows, this project will eventually be deprecated.
About
cert-operator is responsible for provisioning certificates used by components of the Giant Swarm platform. It reconciles CertConfig Custom Resources (CRs) and configures Hashicorp vault accordingly. For a given CertConfig, cert-operator ensures:
vaultis accessible- the necessary
vaultPKI backend has been created - a root CA for the associated workload cluster has been created using the PKI backend
Secrets are then created in the management cluster containing the certificates, signed by the root CA, used for establishing connections with and within the workload cluster.
Currently, cert-operator handles creation of kubeconfigs for workload cluster access for the following components:
- the Giant Swarm API
- app-operator
- aws/azure/kvm-operator
- calico
- etcd
- node-operator
- Prometheus
Compatibility
| provider | cert-operator | cluster-operator |
|---|---|---|
| AWS | < 1.0.0* | < 3.6.1 |
| AWS | >= 1.0.1 | >= 3.6.1 |
| all others | >= 1.0.1 | >= 0.24.1 |
| all others | < 1.0.1 | < 0.24.0* |
* cert-operator v1.0.0 and cluster-operator v0.24.0 have known issues. Use v1.0.1 or v0.24.1 instead.
Prior to version 1.0.0, cert-operator reconciled based on the spec.versionBundle.version field of the CertConfig CR.
In version 1.0.0 and later, the CR field is ignored, and the operator reconciles CertConfigs which have the cert-operator.giantswarm.io/version label set to the operator's version.
In a typical pre-CAPI Giant Swarm release, cluster-operator creates the CertConfigs necessary for each cluster. cluster-operator prior to version 3.6.1 (AWS) and 0.24.0 (Azure and KVM) did not set the appropriate label and still used the older hardcoded versionBundle. The two methods are not compatible.
Prerequisites
Getting Project
Download the latest release: https://github.com/giantswarm/cert-operator/releases/latest
Clone the git repository: https://github.com/giantswarm/cert-operator.git
Download the latest docker image from here: https://quay.io/repository/giantswarm/cert-operator
How to build
Dependencies
Building the standard way
go build github.com/giantswarm/cert-operator
Running cert-operator
See this guide.
Contact
- Mailing list: giantswarm
- IRC: #giantswarm on freenode.org
- Bugs: issues
Contributing & Reporting Bugs
See CONTRIBUTING for details on submitting patches, the contribution workflow as well as reporting bugs.
License
cert-operator is under the Apache 2.0 license. See the LICENSE file for details.
Credit
Secrets
The cert-operator is deployed via Kubernetes.
Here the plain Vault token has to be inserted.
service:
vault:
config:
token: 'TODO'
Here the base64 representation of the data structure above has to be inserted.
apiVersion: v1
kind: Secret
metadata:
name: cert-operator-secret
namespace: giantswarm
type: Opaque
data:
secret.yaml: 'TODO'
To create the secret manually do this.
kubectl create -f ./path/to/secret.yaml