A Kubernetes operator that allows for automatic provisioning and distribution of cert-manager certs across namespaces

cached-certificate-operator

CachedCertificate Workflow

When a CachedCertificate is created or updated the operator does the following:

  • Check for a valid upstream Certificate
    • Create if missing and then resync
  • Wait for upstream Secret to be created
  • Sync the upstream Secret to the target local secret name
  • Watch for upstream Secret changes and sync down

Quickstart Install

The process below uses the kustomize files in ./config to enable easy deployment.

# get the latest code
git clone [email protected]:weave-lab/cached-certificate-operator.git
cd cached-certificate-operator

# install operator into the K8s cluster specified in ~/.kube/config
kubectl apply -k config/default

Try out the operator with a self-signed ca

The steps below depend on having cert-manager installed in the cluster.

We do not cover installing cert-manager. Instead see the official cert-manager installation docs.

Create a selfSigned issuer

# wait for cert-manager to come up
kubectl create -f <(cat <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
EOF
)

Put some basic certs in

kubectl apply -f config/samples/cache_v1alpha1_cachedcertificate.yaml
kubectl apply -f config/samples/cache_v1alpha1_cachedcertificate-alt.yaml

You should see two valid secrets for the 2 resources fairly quickly:

kubectl get secrets -l cache.weavelab.xyz/synced-from-cache

Create secondary CachedCertificates for DNSNames that have already had certs provisioned

kubectl apply -f config/samples/cache_v1alpha1_cachedcertificate-2.yaml
kubectl apply -f config/samples/cache_v1alpha1_cachedcertificate-alt-2.yaml

You should see 4 valid secrets for the 4 resources.

kubectl get secrets -l cache.weavelab.xyz/synced-from-cache

However, if you check for Certificates, you will only see two resources. This is because even though we have 4 total CachedCertificates there are only two unique sets of dnsNames so the operator prevents duplicates from being created.

kubectl get certificates -n cached-certificate-operator-system

Local Development

Create a test kubernetes cluster

The official docs use k3d but any cluster creation tool will work.

k3d cluster create cc-op

NOTE: Be absolutely sure this is done and that your current kubectl context is for your temp cluster before continuing

Install the CRDs

make install

Install the latest cert-manager

This is a bare minimum install with default configuration for cert-manager. It is most likely not ideal for production use but works just fine for local development.

kubectl create -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml

Run the operator locally

make run

Next try the operator by following the instrutctions in [](#Try out the operator with a self-signed ca)

Testing

This operator has both standard unit tests and full-featured integration tests.

All tests can be done using make test

You can also manually install kubebuilder and it's dependencies which will allow you to run a full go test ./... locally or even run tests via your editor!

Setup for test exec without using make
K8S_VERSION=1.19.2

sudo mkdir -p /usr/local/kubebuilder

# Get the latest kubebuilder and put it into the expected location
curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/$(go env GOOS)/$(go env GOARCH)
chmod +x kubebuilder && mv kubebuilder /usr/local/kubebuilder/bin/

# Get full k8s envtest deps and putthem into the expected locatoin
curl -sSLo envtest-bins.tar.gz "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-${K8S_VERSION}-$(go env GOOS)-$(go env GOARCH).tar.gz"
sudo tar -C /usr/local/kubebuilder/ --strip-components=1 -zvxf envtest-bins.tar.gz

# Add kubebuilder to your path
echo 'export PATH=$PATH:/usr/local/kubebuilder/bin' >> ~/.bashrc
. ~/.bashrc

Now go test ./... should work!

Similar Resources

RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE2 and k3s

RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE2 and k3s. It is built using the cOS-toolkit and based on openSUSE

Dec 27, 2022

A Rancher and Kubernetes optimized immutable Linux distribution based on openSUSE

RancherOS v2 WORK IN PROGRESS RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE

Nov 14, 2022

CSI Driver for dynamic provisioning of Persistent Local Volumes for Kubernetes using LVM.

CSI Driver for dynamic provisioning of Persistent Local Volumes for Kubernetes using LVM.

OpenEBS LVM CSI Driver CSI driver for provisioning Local PVs backed by LVM and more. Project Status Currently the LVM CSI Driver is in alpha

Dec 24, 2022

Dynamically provisioning persistent local storage with Kubernetes

Local Path Provisioner Overview Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Based on the

Jan 4, 2023

Karpenter: an open-source node provisioning project built for Kubernetes

Karpenter: an open-source node provisioning project built for Kubernetes

Karpenter is an open-source node provisioning project built for Kubernetes. Its goal is to improve the efficiency and cost of running workloads on Kub

Dec 1, 2022

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install. The permissions are aggregated from the following sources:

Apr 22, 2022

A controller managing namespaces deployments, statefulsets and cronjobs objects. Inspired by kube-downscaler.

kube-ns-suspender Kubernetes controller managing namespaces life cycle. kube-ns-suspender Goal Usage Internals The watcher The suspender Flags Resourc

Dec 27, 2022

Test Operator using operator-sdk 1.15

test-operator Test Operator using operator-sdk 1.15 operator-sdk init --domain rbt.com --repo github.com/ravitri/test-operator Writing kustomize manif

Dec 28, 2021

a k8s operator 、operator-sdk

helloworld-operator a k8s operator 、operator-sdk Operator 参考 https://jicki.cn/kubernetes-operator/ https://learnku.com/articles/60683 https://opensour

Jan 27, 2022
Comments
  • Support Wildcards

    Support Wildcards

    This solves #3

    Changes

    • Replacing occurances of "*" in the secret name to instead be "x"
    • An issue occured where the hashing would produce backslash characters - now replacing occurances of backslash characters with an "x"

    Benefits

    • Cached certificates such as:
    • ---
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: selfsigned-issuer
      spec:
        selfSigned: {}
      ---
      apiVersion: cache.weavelab.xyz/v1alpha1
      kind: CachedCertificate
      metadata:
        name: wildcard-cert
      spec:
        issuerRef:
          name: selfsigned-issuer
          kind: ClusterIssuer
        dnsNames:
          - "*.example.com"
      
      Work without problems! 🎉
  • Support wildcard certs

    Support wildcard certs

    Request

    This is a great project. I'd be happy to sponsor it monthly. I see a great potential feature - supporting wildcards. Given that the CertificateRequest with cert-manager allows wildcard domains, it would be great to support that here as well.

    Problem

    With this manifest:

    ---
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: selfsigned-issuer
    spec:
      selfSigned: {}
    ---
    apiVersion: cache.weavelab.xyz/v1alpha1
    kind: CachedCertificate
    metadata:
      name: wildcard-cert
    spec:
      issuerRef:
        name: selfsigned-issuer
        kind: ClusterIssuer
      dnsNames:
        - "*.example.com"
    

    It fails to report any status:

    kubectl get cachedcertificates
    NAME                                       UPSTREAM_READY   STATE
    wildcard-cert
    

    Let's get the logs:

    kubectl -n cached-certificate-operator-system get pod | grep cached-certificate-operator-controller-manager | awk '{print $1}' | xargs kubectl -n cached-certificate-operator-system -c manager logs
    

    And we see the error:

    2022-09-06T21:25:19.892Z	ERROR	controller-runtime.manager.controller.cachedcertificate	Reconciler error	{"reconciler group": "cache.weavelab.xyz", "reconciler kind": "CachedCertificate", "name": "wildcard-cert", "namespace": "default", "error": "Certificate.cert-manager.io \"cc-*.example.com\" is invalid: metadata.name: Invalid value: \"cc-*.example.com\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"}
    github.com/go-logr/zapr.(*zapLogger).Error
    	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:132
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
    	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:302
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2
    	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216
    k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
    k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
    k8s.io/apimachinery/pkg/util/wait.BackoffUntil
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
    k8s.io/apimachinery/pkg/util/wait.JitterUntil
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
    k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
    k8s.io/apimachinery/pkg/util/wait.UntilWithContext
    	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99
    

    Value

    If the same cert is request from LetsEncrypt with the same exact domains, it can be max requested 5 times .. whereas, with this CachedCertificate and work from Weave Lab, a wildcard cert could be used to secure infinite number of domains without issues!

    Please let me know how I can help.

Enforcing per team quota (sum of used resources across all their namespaces) and delegating the per namespace quota to users.

Quota Operator Enforcing per team quota (sum of used resources across all their namespaces) and delegating the per namespace quota to users. Instructi

Nov 9, 2022
An operator which complements grafana-operator for custom features which are not feasible to be merged into core operator

Grafana Complementary Operator A grafana which complements grafana-operator for custom features which are not feasible to be merged into core operator

Aug 16, 2022
Docker Swarm Ingress service based on OpenResty with automatic Let's Encrypt SSL provisioning

Ingress Service for Docker Swarm Swarm Ingress OpenResty is a ingress service for Docker in Swarm mode that makes deploying microservices easy. It con

Jun 23, 2022
Kubernetes Operator Samples using Go, the Operator SDK and OLM
Kubernetes Operator Samples using Go, the Operator SDK and OLM

Kubernetes Operator Patterns and Best Practises This project contains Kubernetes operator samples that demonstrate best practices how to develop opera

Nov 24, 2022
Custom Terraform provider that allows provisioning VGS Proxy Routes.

VGS Terraform Provider Custom Terraform provider that allows provisioning VGS Proxy Routes. How to Install Requirements: terraform ver 0.12 or later M

Mar 12, 2022
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

Jun 28, 2022
Minecraft-operator - A Kubernetes operator for Minecraft Java Edition servers

Minecraft Operator A Kubernetes operator for dedicated servers of the video game

Dec 15, 2022
K8s-network-config-operator - Kubernetes network config operator to push network config to switches

Kubernetes Network operator Will add more to the readme later :D Operations The

May 16, 2022
Pulumi-k8s-operator-example - OpenGitOps Compliant Pulumi Kubernetes Operator Example

Pulumi GitOps Example OpenGitOps Compliant Pulumi Kubernetes Operator Example Pr

May 6, 2022