Keptn + cert-manager.io
Keptn includes a light-weight, customized cert-manager that is used to register Webhooks to the KubeAPI. Bundling the cert-manager simplifies the installation for new users and provides the functionality Keptn needs without the overhead of other cert-managers. For a description of the architecture, see Keptn Certificate Manager.
Keptn also works well with cert-manager.io
.
If you are already using cert-manager.io
,
you can continue to use it for other components
and use the Keptn cert-manager just for Keptn activities
or you can disable the Keptn cert-manager
and configure Keptn to use cert-manager.io
.
If you want Keptn to use cert-manager.io
,
you must configure it before you install Keptn.
The steps are:
- Install
cert-manager.io
if it is not already installed. - Add the
Certificate
andIssuer
CRs forcert-manager.io
. - (optional) Install Keptn without the built-in
keptn-cert-manager
via Helm
Add the CR(s) for cert-manager.io
These are the CRs for cert-manager.io
to be applied to your cluster:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keptn-certs
namespace: <your-namespace>
spec:
dnsNames:
- lifecycle-webhook-service.<your-namespace>.svc
- lifecycle-webhook-service.<your-namespace>.svc.cluster.local
- metrics-webhook-service.<your-namespace>.svc
- metrics-webhook-service.<your-namespace>.svc.cluster.local
issuerRef:
kind: Issuer
name: keptn-selfsigned-issuer
secretName: keptn-certs
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: keptn-selfsigned-issuer
namespace: <your-namespace>
spec:
selfSigned: {}
Note the following about these fields:
- The
apiVersion
field refers to the API for the cert-manager. - The value of the
.spec.secretName
field as well as the.metadata.name
of theCertificate
CR must bekeptn-certs
. - Substitute the namespace placeholders with your namespace, where Keptn is installed.
See the CA Injector documentation for more details.