Learn how to set Certificate defaults automatically
Last Verified: 19 January 2024
Objective
We will set up a cluster where a user specifies as little YAML as possible in Certificate resources.
This will be achieved by utilizing Kyverno to apply custom "default" values to the Certificate fields, that are not specified by a user.
There are some benefits to having defaults:
Certificateconsumers minimize their YAML resources.Certificateconsumers retain flexibility to override fields when needed.- Cluster operators can decide what the default should be, rather than having to rely on built-in defaults from cert-manager.
Use cases
By setting custom defaults across our cluster, we enable platform teams to tackle use cases such as:
-
To ensure that
CertificateRequestresources get cleaned up.Use a
ClusterPolicyto set a custom default value for theCertificate.Spec.RevisionHistoryLimitfield. -
To help your users choose secure default key settings for their
Certificateresources.Use a
ClusterPolicyto set custom default values for theCertificate.Spec.PrivateKeyfields. -
To default the
Issuerfor users within the cluster.Use a
ClusterPolicyto set a custom default for theCertificate.spec.issuerReffields. -
To set a default pattern for the naming of the
Secretwhere the certificate will be populated.Use a
ClusterPolicyto set a custom default value for thespec.secretNamerequired field. -
Make application developers' lives easier by allowing them to create secure X.509 TLS certificates with the minimum of configuration.
Use a
ClusterPolicyto set all other requiredCertificate.specfields. Only a single identity specification field will be required, one of:commonNameorliteralSubjectdnsNamesurisemailAddressesipAddressesotherNames
Process
We will set up defaults for three different scenarios, getting slightly more advanced each time:
- Setting defaults for optional
Certificateresource fields. - Setting defaults for required
Certificateresource fields. - Setting defaults for
Certificateresource fields, when usingIngressannotations to request certificates.
Setup
Prerequisites
💻 Software
- kubectl: The Kubernetes command-line tool which allows you to configure Kubernetes clusters.
- helm: A package manager for Kubernetes.
- kind (OPTIONAL): For creating a local Kubernetes environment that runs in Docker or other container runtimes.
Local Kubernetes Environment
⚠️ This step can be skipped if you have another Kubernetes environment.
-
Create a cluster environment using
kindfor this tutorial.kind create cluster --name defaults⏲ It should take less than one minute to create the cluster, depending on your machine.
⚠️ This cluster is only suitable for learning purposes. It is not suitable for production use.
Software Installation
Once you have your cluster environment, install the required Kubernetes packages using helm.
-
Set some environment variables for the helm chart versions:
export CERT_MANAGER_CHART_VERSION="v1.14.4" \KYVERNO_CHART_VERSION="3.1.4" \INGRESS_NGINX_CHART_VERSION="4.9.0" -
Install cert-manager
helm upgrade --install cert-manager cert-manager \--namespace cert-manager \--version $CERT_MANAGER_CHART_VERSION \--set installCRDs=true \--set startupapicheck.enabled=false \--create-namespace \--repo https://charts.jetstack.io/ -
Install Kyverno
helm upgrade --install kyverno kyverno \--namespace kyverno-system \--version $KYVERNO_CHART_VERSION \--create-namespace \--repo https://kyverno.github.io/kyverno/ -
Install ingress-nginx
helm upgrade --install ingress-nginx ingress-nginx \--namespace ingress-nginx \--version $INGRESS_NGINX_CHART_VERSION \--create-namespace \--repo https://kubernetes.github.io/ingress-nginx
For complete installation instructions, please refer to the following links:
Setting Defaults
The main tutorial starts here with some background, before tackling each of the three scenarios.
Required vs Non-required
The Certificate resource has a spec section with a number of "required" fields.
This means these fields must be present when you create a Certificate resource.
There are also a number of other fields that are not required to be explicitly defined on each Certificate resource.
This essentially means the value of one of these fields is either not required, or has defaults defined somewhere else.
That somewhere else could be in the cert-manager code base, or indeed by the issuer that creates and returns the X.509 certificate.
Let's explore how we can manipulate these values to be something custom and make the Certificate user's life easier.
We will set up some ClusterPolicy resources and Certificate resources in this tutorial.
We will make reference to a ClusterIssuer in the Certificate spec that doesn't exist, but for this tutorial the ClusterIssuer is not required as we will not actually be requesting certificates.
That means anyone can follow this tutorial even without their own domain.
⚠️ To make it easy to get started we are using cluster scoped
ClusterPolicyresources. You can scope your defaults to the namespace level through the use ofPolicyresources in the future, but that will not be covered in this tutorial.
1 - Defaulting optional fields
In this section we will create rules which set three fields for all Certificate resources automatically.
None of the three fields here are required fields, but they might need to be set depending on platform and issuer preferences.
These rules will:
- Set a default value of:
revisionHistoryLimit: 2. - Set a default value of
Alwaysunderspec.privateKey.rotationPolicy. - Set defaults for all
spec.privateKeyfields.
ℹ️ Note how these rules tackle the first two of our uses cases.
-
First take a look at the
ClusterPolicy:apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: mutate-certificatesspec:failurePolicy: Failrules:# Set a sane default for the history field if not already present- name: set-revisionHistoryLimitmatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:# +(...) This is the clever syntax for if not already set+(revisionHistoryLimit): 2# Set rotation to always if not already set- name: set-privateKey-rotationPolicymatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:privateKey:+(rotationPolicy): Always# Set private key details for algorithm and size- name: set-privateKey-detailsmatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:privateKey:+(algorithm): ECDSA+(size): 521+(encoding): PKCS1 -
Apply the policy to the cluster and check that it is ready:
kubectl apply -f cpol-mutate-certificates-0.yamlkubectl get cpolWhen the
ClusterPolicyis ready the output should look like this:NAME ADMISSION BACKGROUND VALIDATE ACTION READY AGE MESSAGEmutate-certificates true true Audit True 0s Ready -
Now inspect the "test-revision"
Certificate:apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-revisionnamespace: defaultspec:dnsNames:- example.comissuerRef:group: cert-manager.iokind: ClusterIssuername: not-my-corp-issuersecretName: test-revision-certYou can see that we have set the most minimal configuration currently possible, specifying only a DNS name for the certificate, where to save it (
secretName) and the issuer to use to request the certificate (issuerRef). -
Use the following command to dry-run apply the certificate and then
diffit against the original resource, to see how the defaults from ourClusterPolicyare applied:kubectl apply -f cert-test-revision.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision.yaml -This command should return some output similar to this example:
--- cert-test-revision.yaml 2024-01-08 12:14:59.225074232 +0000+++ - 2024-01-12 17:37:51.076593214 +0000@@ -1,8 +1,14 @@apiVersion: cert-manager.io/v1kind: Certificatemetadata:+ annotations:+ kubectl.kubernetes.io/last-applied-configuration: |+ {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"secretName":"test-revision-cert"}}+ creationTimestamp: "2024-01-12T17:37:51Z"+ generation: 1name: test-revisionnamespace: default+ uid: 9f9a4f0a-4aa7-427d-ae4b-c1716fed8246spec:dnsNames:- example.com@@ -10,4 +16,10 @@group: cert-manager.iokind: ClusterIssuername: not-my-corp-issuer+ privateKey:+ algorithm: ECDSA+ encoding: PKCS1+ rotationPolicy: Always+ size: 521+ revisionHistoryLimit: 2secretName: test-revision-certWe have successfully defaulted the
privateKeyandrevisionHistoryLimitfields! -
Let's override all of these defaulted fields, to validate that we can still set what we want as an end user. To test this, let's use the "test-revision-override"
Certificate:apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-revision-overridenamespace: defaultspec:dnsNames:- example.comissuerRef:group: cert-manager.iokind: ClusterIssuername: not-my-corp-issuerprivateKey:algorithm: RSAencoding: PKCS8rotationPolicy: Neversize: 4096revisionHistoryLimit: 44secretName: test-revision-override-cert🔗
cert-test-revision-override.yamlAs before, dry-run apply and
diffthe output with the input file:kubectl apply -f cert-test-revision-override.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision-override.yaml -Here you can see in the output there are no specification changes for the
Certificateitself. TheCertificatealready had all the fields defined that ourClusterPolicyrules would have affected.--- cert-test-revision-override.yaml 2024-01-05 14:45:14.972562067 +0000+++ - 2024-01-12 17:39:57.217028745 +0000@@ -1,8 +1,14 @@apiVersion: cert-manager.io/v1kind: Certificatemetadata:+ annotations:+ kubectl.kubernetes.io/last-applied-configuration: |+ {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision-override","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","rotationPolicy":"Never","size":4096},"revisionHistoryLimit":44,"secretName":"test-revision-override-cert"}}+ creationTimestamp: "2024-01-12T17:39:57Z"+ generation: 1name: test-revision-overridenamespace: default+ uid: 83a6ddbc-6903-479e-802d-e11149985338spec:dnsNames:- example.com
2 - Defaulting required fields
⚠️ This section requires cert-manager v1.14.x or newer to work properly out of the box. See the Appendix section for details.
Now we can set a Kyverno ClusterPolicy to apply default values to any of the Certificate fields.
This includes the required fields.
In our example ClusterPolicy we will do two things:
- Set the relevant
issuerReffields to default to use the "our-corp-issuer"ClusterIssuer. - Apply a default
secretNamethat is the name of theCertificateobject suffixed with "-cert".
ℹ️ Note how these rules are tackling the third and fourth uses cases.
-
Here is the
ClusterPolicyresource to set both fields with defaults:apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: mutate-certificatesspec:failurePolicy: Failrules:# Set a sane default for the history field if not already present- name: set-revisionHistoryLimitmatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:# +(...) This is the clever syntax for if not already set+(revisionHistoryLimit): 2# Set rotation to always if not already set- name: set-privateKey-rotationPolicymatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:privateKey:+(rotationPolicy): Always# Set private key details for algorithm and size- name: set-privateKey-detailsmatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:privateKey:+(algorithm): ECDSA+(size): 521+(encoding): PKCS1# Set a secretName when one is not provided- name: set-default-secret-namematch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:# You can read more about this syntax in the Kyverno documentation:# https://kyverno.io/docs/writing-policies/variables/#variables-from-admission-review-requests+(secretName): "{{request.object.metadata.name}}-cert"# Set a default for issuerRef fields- name: set-default-issuer-refmatch:any:- resources:kinds:- Certificatemutate:patchStrategicMerge:spec:+(issuerRef):name: our-corp-issuerkind: ClusterIssuergroup: cert-manager.io🔗
cpol-mutate-certificates-1.yamlThis
ClusterPolicyis an extension of the policy we applied previously. -
Apply this policy:
kubectl apply -f cpol-mutate-certificates-1.yamlYou should see that our existing
ClusterPolicyhas been changed:clusterpolicy.kyverno.io/mutate-certificates configuredGet the
ClusterPolicyto validate it is "Ready":kubectl get cpolThis command should return some output similar to this example:
NAME ADMISSION BACKGROUND VALIDATE ACTION READY AGE MESSAGEmutate-certificates true true Audit True 6m21s Ready -
Look at the "test-minimal"
Certificatedesigned to validate that all our rules within the policy are operative:apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-minimalnamespace: defaultspec:dnsNames:- example.com -
Dry-run apply and
diffto validate all our defaults have applied to this minimalCertificate:kubectl apply -f cert-test-minimal.yaml --dry-run=server -o yaml | diff -uZ cert-test-minimal.yaml -This command should return some output similar to this example:
--- cert-test-minimal.yaml 2024-01-05 14:45:07.140668401 +0000+++ - 2024-01-12 17:44:08.110290752 +0000@@ -1,8 +1,25 @@apiVersion: cert-manager.io/v1kind: Certificatemetadata:+ annotations:+ kubectl.kubernetes.io/last-applied-configuration: |+ {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-minimal","namespace":"default"},"spec":{"dnsNames":["example.com"]}}+ creationTimestamp: "2024-01-12T17:44:08Z"+ generation: 1name: test-minimalnamespace: default+ uid: 792d29c7-8cf3-4f3a-9f12-4fba396e0d6espec:dnsNames:- example.com+ issuerRef:+ group: cert-manager.io+ kind: ClusterIssuer+ name: our-corp-issuer+ privateKey:+ algorithm: ECDSA+ encoding: PKCS1+ rotationPolicy: Always+ size: 521+ revisionHistoryLimit: 2+ secretName: test-minimal-certSee how we have automatically populated the
spec.issuerRefandspec.secretNamefield values. This indicates the KyvernoClusterPolicyhas been applied to the suppliedCertificateresource. -
To be absolutely sure we have not enforced any settings, let us explicitly set each property of the
Certificatefor which we have a default rule. We will use the "test-revision-override"Certificate:apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-revision-overridenamespace: defaultspec:dnsNames:- example.comissuerRef:group: cert-manager.iokind: ClusterIssuername: not-my-corp-issuerprivateKey:algorithm: RSAencoding: PKCS8rotationPolicy: Neversize: 4096revisionHistoryLimit: 44secretName: test-revision-override-cert -
Dry-run apply and
diffthis file:kubectl apply -f cert-test-revision-override.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision-override.yaml -This command should return some output similar to this example:
--- cert-test-revision-override.yaml 2024-01-05 14:45:14.972562067 +0000+++ - 2024-01-12 17:45:48.261997150 +0000@@ -1,8 +1,14 @@apiVersion: cert-manager.io/v1kind: Certificatemetadata:+ annotations:+ kubectl.kubernetes.io/last-applied-configuration: |+ {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision-override","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","rotationPolicy":"Never","size":4096},"revisionHistoryLimit":44,"secretName":"test-revision-override-cert"}}+ creationTimestamp: "2024-01-12T17:45:48Z"+ generation: 1name: test-revision-overridenamespace: default+ uid: d0ad7abe-c703-45f7-acf9-634b3a263cfaspec:dnsNames:- example.comFrom this command you can see that none of the
Certificatespecification fields have been changed. Only the metadata section has changed which tells us the policies have applied but not set any defaults because values were already provided. This shows that you retain the flexibility to override the cluster defaults when needed.
3 - Defaulting through Ingress Annotations
Many cert-manager users don't create Certificate resources directly and instead use the ingress-shim functionality.
cert-manager creates Certificate resources based on the supported annotations and the Ingress specification.
Let's see how we can still use ClusterPolicy to apply our defaults in this use case.
-
This example
Ingressresource has acert-manager.io/cluster-issuerannotation which instructs cert-manager to create aCertificatewith anissuerReffield pointing at aClusterIssuercalledour-corp-issuer:apiVersion: networking.k8s.io/v1kind: Ingressmetadata:annotations:cert-manager.io/cluster-issuer: "our-corp-issuer"name: defaults-examplenamespace: defaultspec:ingressClassName: nginxrules:- host: app.example.comhttp:paths:- backend:service:name: appport:number: 80path: /pathType: ImplementationSpecifictls:- hosts:- app.example.comsecretName: defaults-example-certificate-tls -
This annotation and the relevant
ingress.spec.tlsconfiguration are all we need so apply the resource:kubectl apply -f ingress.yaml -
Now validate that the
Certificateresource was automatically generated:kubectl get cert defaults-example-certificate-tls -o yamlThis command should return some output similar to this example:
apiVersion: cert-manager.io/v1kind: Certificatemetadata:creationTimestamp: "2024-01-12T17:47:04Z"generation: 1name: defaults-example-certificate-tlsnamespace: defaultownerReferences:- apiVersion: networking.k8s.io/v1blockOwnerDeletion: truecontroller: truekind: Ingressname: defaults-exampleuid: bea33a55-a9ed-4664-a56a-a679eb8272c3resourceVersion: "584260"uid: 43ced989-723b-4eac-bad0-f8bead6976dfspec:dnsNames:- app.example.comissuerRef:group: cert-manager.iokind: ClusterIssuername: our-corp-issuerprivateKey:algorithm: ECDSAencoding: PKCS1rotationPolicy: Alwayssize: 521revisionHistoryLimit: 2secretName: defaults-example-certificate-tlsusages:- digital signature- key enciphermentstatus:conditions:- lastTransitionTime: "2024-01-12T17:47:04Z"message: Issuing certificate as Secret does not existobservedGeneration: 1reason: DoesNotExiststatus: "True"type: Issuing- lastTransitionTime: "2024-01-12T17:47:04Z"message: Issuing certificate as Secret does not existobservedGeneration: 1reason: DoesNotExiststatus: "False"type: ReadynextPrivateKeySecretName: defaults-example-certificate-tls-nbjws -
You can optionally validate that the "mutate-certificates"
ClusterPolicyhas been applied by viewing the logs of the Kyverno admission controller container.kubectl logs -n kyverno-system $(kubectl get pod -n kyverno-system -l app.kubernetes.io/component=admission-controller -o jsonpath='{.items[0].metadata.name}') -c kyverno --tail 3This command should return some output similar to this example:
I0112 17:47:04.425863 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="6f93bd8d-29ca-4eab-8e96-065ea82a1bf2" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}}I0112 17:47:04.458402 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="ec61a3c9-df0a-4daf-8bc3-227dc80348a9" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}}I0112 17:47:09.477776 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="c4384662-cb2a-49a0-8e83-e590942ec48d" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}}Taking the last line as an example you can pull out:
"kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"]See the
policykey indicates that our policy has been applied. In therulessection you can identify that three of our five rules have been applied to the generated "defaults-example-certificate-tls"Certificateresource.
When using an Ingress resource, you always need to specify the secretName from which to load the certificate.
No defaulting is required in this use case because this is a required part of the Ingress specification.
The only additional YAML that a user is required to specify on the Ingress resource is the annotation:
cert-manager.io/cluster-issuer: "our-corp-issuer"
This annotation serves as both the trigger for cert-manager to act upon this Ingress and also as the configuration value for the Certificate.spec.issuerRef fields.
This single line replaces the need for the user to create a Certificate resource entirely.
This results in a reduction of the total YAML required to secure the application behind this Ingress.
Summary
This is a fairly simple example of how easy it can be to setup defaults for your cluster Certificate resources.
We've shown how a ClusterPolicy doesn't have to "enforce" settings, rather it can be used to set and extend the default options.
Certificate users can reduce their YAML, whilst maintaining the flexibility to override any value when needed.
We have shown how a simple ClusterPolicy with only 5 rules can change the user experience creating Certificate resources from:
apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-revision-overridenamespace: defaultspec:dnsNames:- example.comissuerRef:group: cert-manager.iokind: ClusterIssuername: not-my-corp-issuerprivateKey:algorithm: RSAencoding: PKCS8rotationPolicy: Neversize: 4096revisionHistoryLimit: 44secretName: test-revision-override-cert
🔗 cert-test-revision-override.yaml
To instead only need to specify the configuration important to them, for example:
apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: test-minimalnamespace: defaultspec:dnsNames:- example.com
With this policy we achieved our objective and have enabled users to submit minimal Certifiate resources.
This completes our fifth use case, with only a single field contained within the specification, the dnsNames entry.
Every other specified field was automatically defaulted using Kyverno with ClusterPolicy which would typically be setup by a platform administrator.
Cleanup
If you created the kind cluster for this tutorial you can simply run:
kind delete cluster --name defaults
Otherwise to remove all resources deployed in this tutorial:
# Assuming you are running from this directly or saved all the files to yamls/kubectl delete -f ingress.yamlkubectl delete -f cpol-mutate-certificates-1.yamlhelm uninstall kyverno -n kyverno-systemhelm uninstall cert-manager -n cert-managerhelm uninstall ingress-nginx -n ingress-nginx
Appendix
cert-manager version requirement
The behavior of cert-manager's mutating webhook has been changed from v1.14.x onward. For a more complete explanation and details of the change please refer to PR #6311. Instructions for a manual fix can be found in this comment on PR #6311.
Presets Feature Request
For further background reading around setting "defaults" or "presets", you can refer to issue 2239. This tutorial came out of an investigation of that issue.
The cert-manager team reasoned that the requested solution could be achieved with the use of other, more generic open-source policy tools. Kyverno is just one example and similar can be achieved with Gatekeeper as an alternative tool.