Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/guilhem/freeipa-issuer
A cert-manager external issuer for FreeIPA
https://github.com/guilhem/freeipa-issuer
certificate kubernetes pki
Last synced: 21 days ago
JSON representation
A cert-manager external issuer for FreeIPA
- Host: GitHub
- URL: https://github.com/guilhem/freeipa-issuer
- Owner: guilhem
- License: apache-2.0
- Created: 2020-12-22T17:48:42.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2024-04-30T09:30:36.000Z (7 months ago)
- Last Synced: 2024-10-17T18:27:25.364Z (30 days ago)
- Topics: certificate, kubernetes, pki
- Language: Go
- Homepage:
- Size: 182 KB
- Stars: 32
- Watchers: 5
- Forks: 14
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# FreeIPA Issuer
[![CodeQL](https://github.com/guilhem/freeipa-issuer/workflows/CodeQL/badge.svg)](https://github.com/guilhem/freeipa-issuer/actions?query=workflow%3ACodeQL)
A [cert-manager](https://cert-manager.io) external issuer to be used with [FreeIPA](https://www.freeipa.org/).
## Prerequisite
- kubernetes
- cert-manager **1.0+**
- [kustomize](https://github.com/kubernetes-sigs/kustomize)
- optional: Kubernetes worker nodes adopted into FreeIPA domain (for use with self signed certificate)## Install
### kustomize
`kustomization.yaml`:
```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: freeipa-issuercommonLabels:
app: freeipa-issuerresources:
- https://github.com/guilhem/freeipa-issuer/config/default
```## Configuration
[examples](config/samples)
### Issuer
An issuer is namespaced
```yaml
apiVersion: certmanager.freeipa.org/v1beta1
kind: Issuer
metadata:
name: issuer-sample
spec:
host: freeipa.example.test
user:
name: freeipa-auth
key: user
password:
name: freeipa-auth
key: password# Optionals
serviceName: HTTP
addHost: true
addService: true
addPrincipal: true
ca: ipa
# Do not check certificate of IPA server connection
insecure: true # unless you can create your own container and inject IPA server CA as trusted.
# This fixes a bug when adding a service
ignoreError: true---
apiVersion: v1
kind: Secret
metadata:
name: freeipa-auth
data:
user: b64value
password: b64value
```### Disable Approval Check
The FreeIPA Issuer will wait for CertificateRequests to have an [approved
condition
set](https://cert-manager.io/docs/concepts/certificaterequest/#approval) before
signing. If using an older version of cert-manager (pre v1.3), you can disable
this check by supplying the command line flag `-disable-approved-check` to the
Issuer Deployment.## Usage
### Secure an Ingress resource
```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: traefik
#Specify the name of the issuer to use must be in the same namespace
cert-manager.io/issuer: freeipa-issuer
#The group of the out of tree issuer is needed for cert-manager to find it
cert-manager.io/issuer-group: certmanager.freeipa.org
#Specify a common name for the certificate
cert-manager.io/common-name: www.example.comspec:
#placing a host in the TLS config will indicate a certificate should be created
tls:
- hosts:
- www.example.com
#The certificate will be stored in this secret
secretName: example-cert
rules:
- host: www.example.com
http:
paths:
- path: /
backend:
serviceName: backend
servicePort: 80
```