Skip to main content

Integrating with cert-manager

The Ignition Helm Chart offers cert-manager integration to provide automated certificate generation and management. When enabled, it provides automatic Gateway Network and webserver TLS certificate generation.

Review the cert-manager docs for more information, including guidance on installation and configuration best practices.

Customizing the cert-manager installation and augmenting with a custom approval policy can give you more control on automated certificate generation, such as only auto-approving certificates that match configured specifications. This becomes more important in a cluster where you may have users working in dedicated namespaces but sharing global ClusterIssuers.

Setup​

Leveraging cert-manager for Ignition Gateway Network certificate management is easy! We use cert-manager's ability to bootstrap an in-cluster CA issuer. All that the Ignition Helm Chart needs to get started is a self-signed ClusterIssuer.

Create this cluster-level resource using the inline kubectl apply command below:

# reminder: this needs to be run under a POSIX shell
kubectl apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
EOF

Enabling cert-manager integration​

Enabling cert-manager integration in the Ignition Helm Chart can be done by setting certManager.enabled=true. Once enabled, the default configuration will generate the following cert-manager resources:

  • A self-signed Certificate for the Gateway Network issuer.
  • An Issuer for generating Gateway Network Certificates.
  • A Certificate for the Ignition Gateway itself, configured to generate a PKCS12 keystore.

See the Installation section for more specifics on how the Ignition Helm Chart integrates certificates for both Gateway Network and the Ignition Webserver.