Learn how to automatically provision and manage TLS certificates in Kubernetes using Infisical PKI
cert-manager
, the Infisical PKI Issuer, and configure resources to represent the connection details to your Infisical PKI and the certificates you wish to issue. Each issued certificate and corresponding private key is made available in a Kubernetes secret.
We recommend reading the cert-manager documentation for a fuller understanding of all the moving parts.
cert-manager
into your Kubernetes cluster.Issuer
or ClusterIssuer
resource in your Kubernetes cluster to represent the Infisical PKI issuer you wish to use.Certificate
resource in your Kubernetes cluster to represent a certificate you wish to issue. As part of this step, you specify the Kubernetes Secret
to create and store the issued certificate and private key.Secret
.Create an identity in Infisical
Install cert-manager
cert-manager
into your Kubernetes cluster by following the instructions here or by running the following command:Install the Issuer Controller
Create Kubernetes Secret for Infisical PKI Issuer
Secret
containing the Client Secret from step 1. As mentioned previously, this will be used by the Infisical PKI issuer to authenticate with Infisical.Create Infisical PKI Issuer
url
, clientId
, projectId
or certificateTemplateName
, and applying the following configuration file for the Issuer
resource.
This configuration file specifies the connection details to your Infisical PKI CA to be used for issuing certificates.Issuer
is a namespaced resource, and it is not possible to issue certificates from an Issuer
in a different namespace.
This means you will need to create an Issuer
in each namespace you wish to obtain Certificates
in.If you want to create a single Issuer
that can be consumed in multiple namespaces, you should consider creating a ClusterIssuer
resource. This is almost identical to the Issuer
resource, however is non-namespaced so it can be used to issue Certificates
across all namespaces.You can read more about the Issuer
and ClusterIssuer
resources here.Create Approver Policy
CertificateRequest
now, you’ll notice it’s neither approved nor denied. This is expected because by default cert-manager approver controller requires an approver-policy.To enable approval, create the following YAML file and apply it:ClusterRole
named infisical-issuer-approver
that grants approval permissions for specific Infisical issuer types. It then binds this role to the cert-manager service account, allowing it to approve certificate requests from your Infisical issuers.For information, check out cert manager approval policy doc.Create Certificate
Certificate
by applying the following configuration file.
This configuration file specifies the details of the (end-entity/leaf) certificate to be issued.certificate-by-issuer.example.com
and ECDSA private key using the P-256 curve, valid for 48 hours; the certificate will be automatically renewed by cert-manager
12 hours before expiry.
The certificate is issued by the issuer issuer-infisical
created in the previous step and the resulting certificate and private key will be stored in a secret named certificate-by-issuer
.Note that the full list of the fields supported on the Certificate
resource can be found in the API reference documentation here.You can check that the certificate was created successfully by running the following command:Use Certificate in Kubernetes Secret
describe
the secret to get more information about it:ca.crt
is the Root CA certificate, tls.crt
is the requested certificate followed by the certificate chain, and tls.key
is the private key for the certificate.We can decode the certificate and print it out using openssl
:What fields can be configured on the Certificate resource?
Certificate
resource can be found in the API reference documentation here.Can certificates be renewed automatically?
cert-manager
will automatically renew certificates according to the renewBefore
threshold of expiry as
specified in the corresponding Certificate
resource.You can read more about the renewBefore
field here.Why is my CertificateRequest not being approved, showing 'CertificateRequest has not been approved yet. Ignoring.'?
CertificateRequest
has been created, but cert-manager
has not yet approved it. This typically occurs because a necessary approver policy is missing. Refer to the documentation above to create an approver policy.