Skip to content

Cert-Manager Integration

Setup

The following sections will guide you through the one-time setup that is required for providing certificates using cert-manager and kube-bind.

Install cert-manager

Install cert-manager in your Kubernetes cluster, where kube-bind backend is running, if you haven't already. You can follow the official installation guide.

Export the Certificate CRD

To export the cert-manager Certificate CRD, add the kube-bind export label to it:

kubectl label crd certificates.cert-manager.io kube-bind.io/exported=true --overwrite

Create a SelfSigned Issuer

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-selfsigned-issuer
spec:
  selfSigned: {}
EOF

Create a APIServiceExportTemplate

It's now time to configure kube-bind to export the certificate resource. To do so, create a kube-bind APIServiceExportTemplate for Certificate resources like this one:

kubectl apply -f - <<EOF
apiVersion: kube-bind.io/v1alpha2
kind: APIServiceExportTemplate
metadata:
  labels:
    provider: cert-manager
  name: certificate
spec:
  permissionClaims:
  - group: ""
    resource: secrets
    selector:
      references:
        - resource: certificates
          group: cert-manager.io
          jsonPath:
            name: 'spec.secretName'
  resources:
  - group: cert-manager.io
    resource: certificates
    versions:
    - v1
  scope: Namespaced
EOF

Usage

Now that everything is set up, users can begin to bind to your backend and begin consuming the new API.

Login to kube-bind

kubectl bind login https://kube-bind.example.com

Request a Binding

Request a binding to the certificate template created above. This will allow you to create Certificate objects in your consumer cluster.

# you will get redirected to UI to authenticate and pick the template
kubectl bind

Wait for the Binding to be Established

Once the binding is active, you can create Certificate objects in your consumer cluster, and you will get Certificate objects synced from the provider cluster.

kubectl bind
🌐 Opening kube-bind UI in your browser...
    https://kube-bind.genericcontrolplane.io?redirect_url=....

Browser opened successfully
Waiting for binding completion from UI...
   (Press Ctrl+C to cancel)

Binding completed successfully!
Created kube-bind namespace.
🔒 Created secret kube-bind/kubeconfig-p6mfh for host https://api.kcp-prod.kcp.internal.canary.k8s.ondemand.com:443, namespace kube-bind-dkxkx
🚀 Deploying konnector v0.6.0 to namespace kube-bind with custom image "ghcr.io/kube-bind/konnector:v0.6.0-rc1".
   Waiting for the ...................
 Created APIServiceBinding certificate for 1 resources
Created 1 APIServiceBinding(s):
  - certificate
Resources bound successfully!

Create a Certificate

Now you can finally create a Certificate object in your consumer cluster. The cert-manager in the provider cluster will handle the issuance and management of the TLS certificate.

Note

my-selfsigned-issuer must be present in the provider cluster for this example to work.

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-tls-cert
  namespace: default
spec:
  commonName: my-ca
  isCA: true
  issuerRef:
    kind: ClusterIssuer
    name: my-selfsigned-issuer
  secretName: my-tls-cert
EOF

Wait for Provisioning

Observe that the Certificate object is created in the consumer cluster and the corresponding TLS Secret is generated:

kubectl get certificates
NAME          READY   SECRET        AGE
my-tls-cert   True    my-tls-cert   6m55s

kubectl get secrets
NAME          TYPE                DATA   AGE
my-tls-cert   kubernetes.io/tls   3      6m33s