Skip to content
This repository has been archived by the owner on Nov 20, 2023. It is now read-only.
/ signer-ca Public archive

Experimental 'local CA' based signer for Kubernetes 1.18 CSR API

License

Notifications You must be signed in to change notification settings

cert-manager/signer-ca

Repository files navigation

signer-ca

signer-ca is an operator for automatically signing an approved CertificateSigningRequest.

NOTE: This operator is EXPERIMENTAL and requires Kubernetes >= 1.18. It uses Certificates API Enhancements which are only available in Kubernetes >= 1.18.

It watches CertificateSigningRequest (CSR) resources and if the CSR has a .spec.signerName that it recognizes, and if the CSR has been approved, it creates a signed certificate using a certificate-authority file that you supply as a command-line argument to the operator. The signed certificate is configured using the encoded CSR in .spec.request. The signed certificate is added to the .status.certificate of the CSR resource.

Installation

signer-ca can be deployed using kubectl apply -k config/default. See config/e2e for an example of how to make a CA file available to the operator, as a mounted secret.

Build

You can build and deploy signer-ca using make docker-build docker-push deploy-e2e DOCKER_PREFIX=gcr.io/<YOUR_PROJECT>/signer-ca/. See the Makefile for details.

Demo

asciicast

About

Experimental 'local CA' based signer for Kubernetes 1.18 CSR API

Resources

License

Stars

Watchers

Forks

Contributors 4

  •  
  •  
  •  
  •