This guide demonstrates the usage of cert-manager as a certificate provider to manage and issue certificates in OSM.

Prerequisites

  • Kubernetes cluster running Kubernetes v1.19.0 or greater.
  • Have kubectl available to interact with the API server.
  • Have osm CLI available for installing and managing the service mesh.

Demo

The following demo uses cert-manager as the certificate provider to issue certificates to the curl and httpbin applications communicating over Mutual TLS (mTLS) in an OSM managed service mesh.

  1. Install cert-manager. This demo uses cert-manager v1.6.1.

    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml

    Confirm the pods are ready and running in the cert-manager namespace.

    kubectl get pod -n cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-55658cdf68-pdnzg             1/1     Running   0          2m33s
cert-manager-cainjector-967788869-prtjq   1/1     Running   0          2m33s
cert-manager-webhook-6668fbb57d-vzm4j     1/1     Running   0          2m33s

  2. Configure cert-manager Issuer and Certificate resources required by cert-manager to be able to issue certificates in OSM. These resources must be created in the namespace where OSM will be installed later.

    Note: cert-manager must first be installed, with an issuer ready, before OSM can be installed using cert-manager as the certificate provider.

    Create the namespace where OSM will be installed.

    export osm_namespace=osm-system # Replace osm-system with the namespace where OSM is installed
kubectl create namespace "$osm_namespace"

    Next, we use a SelfSigned issuer to bootstrap a custom root certificate. This will create a SelfSigned issuer, issue a root certificate, and use that root as a CA issuer for certificates issued to workloads within the mesh.

    # Create Issuer and Certificate resources
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: "$osm_namespace"
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: osm-ca
  namespace: "$osm_namespace"
spec:
  isCA: true
  duration: 87600h # 365 days
  secretName: osm-ca-bundle
  commonName: osm-system
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: osm-ca
  namespace: "$osm_namespace"
spec:
  ca:
    secretName: osm-ca-bundle
EOF

  3. Confirm the osm-ca-bundle CA secret is created by cert-manager in OSM’s namespace.

    $ kubectl get secret osm-ca-bundle -n "$osm_namespace"
NAME            TYPE                DATA   AGE
osm-ca-bundle   kubernetes.io/tls   3      84s

    The CA certificate saved in this secret will be used by OSM upon install to bootstrap its ceritifcate provider utility.

  4. Install OSM with its certificate provider kind set to cert-manager.

    osm install --set osm.certificateProvider.kind="cert-manager"

    Confirm the OSM control plane pods are ready and running.

    $ kubectl get pod -n "$osm_namespace"
NAME                              READY   STATUS    RESTARTS   AGE
osm-bootstrap-7ddc6f9b85-k8ptp    1/1     Running   0          2m52s
osm-controller-79b777889b-mqk4g   1/1     Running   0          2m52s
osm-injector-5f96468fb7-p77ps     1/1     Running   0          2m52s

  5. Enable permissive traffic policy mode to set up automatic application connectivity.

    Note: this is not a requirement to use cert-manager but simplifies the demo by not requiring explicit traffic policies for application connectivity.

    kubectl patch meshconfig osm-mesh-config -n "$osm_namespace" -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":true}}}'  --type=merge

  6. Deploy the httpbin service into the httpbin namespace after enrolling its namespace to the mesh. The httpbin service runs on port 14001.

    # Create the httpbin namespace
kubectl create namespace httpbin

# Add the namespace to the mesh
osm namespace add httpbin

# Deploy httpbin service in the httpbin namespace
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/samples/httpbin/httpbin.yaml -n httpbin

    Confirm the httpbin service and pods are up and running.

    $ kubectl get svc -n httpbin
NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
httpbin   ClusterIP   10.96.198.23   <none>        14001/TCP   20s

    $ kubectl get pods -n httpbin
NAME                     READY   STATUS    RESTARTS   AGE
httpbin-5b8b94b9-lt2vs   2/2     Running   0          20s

  7. Deploy the curl client into the curl namespace after enrolling its namespace to the mesh.

    # Create the curl namespace
kubectl create namespace curl

# Add the namespace to the mesh
osm namespace add curl

# Deploy curl client in the curl namespace
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/samples/curl/curl.yaml -n curl

    Confirm the curl client pod is up and running.

    $ kubectl get pods -n curl
NAME                    READY   STATUS    RESTARTS   AGE
curl-54ccc6954c-9rlvp   2/2     Running   0          20s

  8. Confirm the curl client is able to access the httpbin service on port 14001.

    $ kubectl exec -n curl -ti "$(kubectl get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')" -c curl -- curl -I http://httpbin.httpbin:14001
HTTP/1.1 200 OK
server: envoy
date: Mon, 15 Mar 2021 22:45:23 GMT
content-type: text/html; charset=utf-8
content-length: 9593
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 2

    A 200 OK response indicates the HTTP request from the curl client to the httpbin service was successful. The traffic between the application sidecar proxies is encrypted and authenticated using Mutual TLS (mTLS) by leverging the certificates issued by the cert-manager certificate provider.