Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cert-manager/google-cas-issuer

cert-manager issuer for Google CA Service
https://github.com/cert-manager/google-cas-issuer

Last synced: 4 days ago
JSON representation

cert-manager issuer for Google CA Service

Awesome Lists containing this project

README

        

# Google Certificate Authority Service Issuer for cert-manager

This repository contains an [external Issuer](https://cert-manager.io/docs/contributing/external-issuers/)
for cert-manager that issues certificates using [Google Cloud
Certificate Authority Service (CAS)](https://cloud.google.com/certificate-authority-service/), using managed private CAs to issue certificates.

> [!IMPORTANT]
> The Google CAS Issuer project is currently in maintenance mode. We will continue to provide support for bug fixes and security updates, but no new major features are planned. We are looking for maintainers/ partners (eg. the Google CAS team) to continue the development of this project and take some of the maintainership responsibilities. If you are interested, please reach out to us on the [`cert-manager-dev` Slack via @cert-manager-maintainers](https://groups.google.com/forum/#!forum/cert-manager-dev).

> [!IMPORTANT]
> The `GoogleCASIssuer` and `GoogleCASClusterIssuer` CRDs are part of the `cas-issuer.jetstack.io` API group. This `jetstack.io` API group is used for legacy reasons and will not be immediately changed to preserve backwards compatibility. This project however is no longer maintained or owned by Jetstack, instead it is maintained by the cert-manager team/ community.

> [!IMPORTANT]
> Starting from version v0.9.0, the docker image for the Google CAS Issuer controller is tagged with a v-prefix (v0.9.0 instead of 0.9.0). The helm chart for v0.9.0 will also refer to this image tag. Make sure to update your image replication rules if necessary.

## Getting started

### Prerequisites

#### CAS-enabled GCP project

Enable the Certificate Authority API (`privateca.googleapis.com`) in your GCP project by following the
[official documentation](https://cloud.google.com/certificate-authority-service/docs/quickstart).

#### CAS-managed Certificate Authorities

You can create a ca pool containing a certificate authority in your current Google project with:

```shell
gcloud privateca pools create my-pool --location us-east1
gcloud privateca roots create my-ca --pool my-pool --key-algorithm "ec-p384-sha384" --subject="CN=my-root,O=my-ca,OU=my-ou" --max-chain-length=2 --location us-east1
```

You should also enable the root CA you just created when prompted by `gcloud`.

> It is recommended to create subordinate CAs for signing leaf
> certificates. See the [official
> documentation](https://cloud.google.com/certificate-authority-service/docs/creating-certificate-authorities).

#### cert-manager

If not already running in the cluster, install cert-manager by following the [official documentation](https://cert-manager.io/docs/installation/kubernetes/).

### Installing Google CAS Issuer for cert-manager

```shell
helm repo add jetstack https://charts.jetstack.io --force-update
helm upgrade -i cert-manager-google-cas-issuer jetstack/cert-manager-google-cas-issuer -n cert-manager --wait
```

Or alternatively, assuming that you have installed cert-manager in the `cert-manager` namespace, you can use a single kubectl
command to install Google CAS Issuer.
Visit the [GitHub releases](https://github.com/cert-manager/google-cas-issuer/releases), select the latest release
and copy the command, e.g.

```shell
kubectl apply -f https://github.com/cert-manager/google-cas-issuer/releases/download/v0.6.1/google-cas-issuer-v0.6.1.yaml
```

You can then skip to the [Setting up Google Cloud IAM](#setting-up-google-cloud-iam) section.

##### Build and push the controller image

**Note**: you can skip this step if using the public images at [quay.io](https://quay.io/repository/jetstack/cert-manager-google-cas-issuer?tag=latest&tab=tags).

Build the docker image:

```shell
make docker-build
```

Push the docker image or load it into kind for testing

```shell
make docker-push || kind load docker-image quay.io/jetstack/cert-manager-google-cas-issuer:latest
```

#### Deploy the controller

Deploy the issuer controller:

```shell
cat <