Skip to content

A Kubernetes operator that ensures that all TLS secrets have a valid ca.crt

License

Notifications You must be signed in to change notification settings

erwinvaneyk/cert-completer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

bd57acc · Mar 3, 2024

History

8 Commits
Dec 24, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Dec 23, 2019
Mar 3, 2024
Mar 3, 2024
Dec 23, 2019

Repository files navigation

Cert Completer

Cert Completer is a small Kubernetes operator that ensures that all TLS secrets have a valid ca.crt.

It addresses a specific issue with the (Let's Encrypt) ACME provider in cert-manager, where certificates are lacking a CA in the ca.crt key of the generated secret. Although issues have been raised to fill the ca.crt (see #2111 and #1571), it is not clear if and when these issues will be resolved. Cert Completer is an attempt to patch this issue immediately regardless of the cert-manager version.

To provide each TLS secret with a ca.crt, the operator parses the certificate chain in tls.crt. It uses the last (top-most) certificate in this chain for ca.crt. Although this does not guarantee that ca.crt contains a root CA, it does guarantee that the CA present is valid for the TLS secret.

Installation

Using pre-built resources:

kubectl apply -f https://raw.githubusercontent.com/erwinvaneyk/cert-completer/master/cert-completer.yaml

Using Kustomize (requires kubectl > 1.15):

kubectl apply -k github.com/erwinvaneyk/cert-completer//config/default

Clone and modify ./config/default/kustomization.yaml for alternative, custom deployments.