Cert Manager¶
Learn how and why deployKF uses cert-manager. Learn how to integrate your existing cert-manager with deployKF and Kubeflow.
What is cert-manager?¶
Cert-Manager is a widely-used Kubernetes operator that declaratively manages TLS certificates using Kubernetes resources.
The core resource of cert-manager is the Certificate
, which is a Kubernetes custom resource that specifies the details of a TLS certificate (e.g. domain name). Each Certificate
references an Issuer
(or ClusterIssuer
) which tells cert-manager how to provision the certificate (e.g. using Let's Encrypt or self-signing). Cert-Manager can store provisioned certificates in Kubernetes Secrets
so they can be used by Pods, and will automatically renew the certificate when it is about to expire.
What is trust-manager?¶
Trust-Manager is a Kubernetes operator that declaratively manages trust bundles using Kubernetes resources. deployKF uses trust-manager when self-signed certificates are configured (the default) because it allows us to distribute the root CA certificate (via our root CA Bundle
) to all services in the platform.
How does deployKF use cert-manager?¶
deployKF uses cert-manager to provision TLS certificates for the Istio Ingress Gateway. Furthermore, many tools in the platform use cert-manager to provision TLS certificates for internal webhooks and APIs.
See the Configure TLS Certificates guide for more details.
Can I use my existing cert-manager?¶
Yes.
If you already have cert-manager deployed in your cluster, you may configure deployKF to use it instead of the embedded one.
Valid Certificates Required
If you disable the embedded cert-manager, the ClusterIssuer
you configure MUST be able to provision valid certificates (not self-signed). Otherwise, deployKF will fail to start due to certificate validation errors.
This is not a problem when using the embedded cert-manager, as all components are automatically configured to trust the default self-signed root CA.
Step 1 - Disable Embedded Cert-Manager
Disable the embedded cert-manager by setting the deploykf_dependencies.cert_manager.enabled
value to false
:
deploykf_dependencies:
cert_manager:
enabled: false
Step 2 - Configure ClusterIssuer
When the embedded cert-manager is disabled, the deploykf_dependencies.cert_manager.clusterIssuer
value still selects the ClusterIssuer
to use (which must be provisioned by you).
For example, to use a ClusterIssuer
named my-cluster-issuer
, you would set the following values:
deploykf_dependencies:
cert_manager:
enabled: false
clusterIssuer:
## NOTE: when `cert_manager.enabled` is false,
## all other `cert_manager` values have NO effect
issuerName: my-cluster-issuer
If you don't already have a ClusterIssuer
, see Use Let's Encrypt with Cert-Manager for an example of how to configure one.
Created: 2024-01-16