Keptn + cert-manager.io
Keptn includes a light-weight, customized cert-manager that is used to register Webhooks to the KubeAPI. Bundling the cert-manager simplifies the installation for new users and provides the functionality Keptn needs without the overhead of other cert-managers. For a description of the architecture, see Keptn Certificate Manager.
Keptn also works well with cert-manager.io.
If you are already using cert-manager.io,
you can continue to use it for other components
and use the Keptn cert-manager just for Keptn activities
or you can disable the Keptn cert-manager
and configure Keptn to use cert-manager.io.
If you want Keptn to use cert-manager.io,
you must configure it before you install Keptn.
The steps are:
- Install
cert-manager.ioif it is not already installed. - Add the
CertificateandIssuerCRs forcert-manager.io. - (optional) Install Keptn without the built-in
keptn-cert-managerand with injected CA annotations via Helm
Add the CR(s) for cert-manager.io
These are the CRs for cert-manager.io to be applied to your cluster:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keptn-certs
namespace: <keptn-namespace>
spec:
dnsNames:
- lifecycle-webhook-service.<keptn-namespace>.svc
- lifecycle-webhook-service.<keptn-namespace>.svc.cluster.local
- metrics-webhook-service.<keptn-namespace>.svc
- metrics-webhook-service.<keptn-namespace>.svc.cluster.local
issuerRef:
kind: Issuer
name: keptn-selfsigned-issuer
secretName: keptn-certs
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: keptn-selfsigned-issuer
namespace: <keptn-namespace>
spec:
selfSigned: {}
Note the following about these fields:
- The
apiVersionfield refers to the API for the cert-manager. - The value of the
.spec.secretNamefield as well as the.metadata.nameof theCertificateCR must bekeptn-certs. - Substitute the namespace placeholders with your namespace, where Keptn is installed.
Injecting CA Annotations
cert-manager.io supports specific annotations for
injectable resources depending on the injection source.
To configure these annotations, modify the global.caInjectionAnnotation Helm value.
See the CA Injector documentation for more details.
Here is an example values.yaml file demonstrating the configuration of CA injection
by using the cert-manager.io/inject-ca-from annotation:
global:
certManagerEnabled: false # disable Keptn Cert Manager
caInjectionAnnotations:
cert-manager.io/inject-ca-from: keptn-system/keptn-certs
Refer to the Customizing the configuration of components for more details.
Troubleshooting
When experiencing problems with setting up cert-manager.io, please refer to the cert-manager.io troubleshooting page.
