Chaining Kiam Certificates using Cert-manager

Chaining Kiam Certificates using Cert-manager

Suraj Narwade's photo
Suraj Narwade
Apr 23, 2021·

2 min read

Play this article

Source: https://unsplash.com/photos/pZld9PiPDno

When associating IAM roles with pods instead of assigning a super role to worker nodes, Kiam is a fairly popular project in Community; kiam runs as an agent on each node in the Kubernetes cluster, allowing cluster users to associate IAM roles to Pods.

To enhance security, Kiam uses certificates for servers & agents. To simplify the certificate management for Kiam, we will utilise cert-manager,

cert-manager is a native Kubernetes certificate management controller that helps issue certificates from various sources or self-signed ones.

For Kiam, we will need the following:

  • Self-signed CA

  • Server Certificate (Generated from above CA)

  • Agent Certificate (Generated from above CA)

Following Code shows the issuer & Certificate for the initial Self-signed CA. isCA option in the certificate spec specifies that it’s a CA certificate.

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: kiam-ca-selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kiam-ca-selfsigned
spec:
  secretName: kiam-ca-selfsigned
  commonName: "kiam-ca"
  isCA: true
  issuerRef:
    name: kiam-ca-selfsigned-issuer
  usages:
  - "any"

The above CA certificate will be stored in Kiam-ca-self-signed secret.

Based on this CA certificate, we will create an Issuer of CA type and pass the secret name.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: kiam-ca-issuer
spec:
  ca:
   secretName: kiam-ca-selfsigned

Now that we have an issuer, we are ready to generate server & agent certificates,

Generating Server & Agent Certificates

  • For Server

      apiVersion: cert-manager.io/v1
  kind: Certificate
  metadata:
    name: kiam-server
  spec:
    secretName: kiam-server-tls
    issuerRef:
      name: kiam-ca-issuer
    usages:
    - "any"
    dnsNames:
    - "localhost"
    - "kiam-server"
    ipAddresses:
    - "127.0.0.1"

  • For Agent

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kiam-agent
spec:
  secretName: kiam-agent-tls
  commonName: agent
  issuerRef:
    name: kiam-ca-issuer
  usages:
  - "any"

Renewing Certificates

The only caveat here is if the main Self-signed CA issuer gets renewed, the following server & agent certificates don’t get renewed; this issue is already reported on cert-manager repositories. You’ll have to renew them by following commands manually,

kubectl cert-manager renew kiam-server --namespace=kube-system
kubectl cert-manager renew kiam-agent --namespace=kube-system

I hope you learned something new from this blog post. Click here to learn about me and how you can support my work, Thank you.

References

Did you find this article valuable?

Support Suraj Narwade by becoming a sponsor. Any amount is appreciated!

kiamKubernetescert-manager