Trust
Distributing Trust Bundles in Kubernetes
trust is an operator for distributing trust bundles across a Kubernetes cluster. trust is designed to complement cert-manager by enabling services to trust X.509 certificates signed by Issuers, as well as external CAs which may not be known to cert-manager at all.
Usage
trust ships with a single cluster scoped Bundle
resource. A Bundle represents
a set of data that should be distributed and made available across the cluster.
There are no constraints on what data can be distributed.
The Bundle gathers and appends trust data from a number of sources
located in
the trust namespace (where the trust controller is deployed), and syncs them to
a target
in every namespace.
A typical Bundle looks like the following:
apiVersion: trust.cert-manager.io/v1alpha1kind: Bundlemetadata:name: my-org.comspec:sources:# A Secret in the trust namespace created via a cert-manager Certificate- secret:name: "my-db-tls"key: "ca.crt"# A ConfigMap in the trust namespace- configMap:name: "my-org.net"key: "root-certs.pem"# An In Line- inLine: |# my-org.com CA-----BEGIN CERTIFICATE-----MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl....0V3NCaQrXoh+3xrXgX/vMdijYLUSo/YPEWmo-----END CERTIFICATE-----target:# Data synced to the ConfigMap `my-org.com` at the key `root-certs.pem` in# every namespace that has the label "linkerd.io/inject=enabled".configMap:key: "root-certs.pem"namespaceSelector:matchLabels:linkerd.io/inject: "enabled"
Bundle currently supports the source types configMap
, secret
and inLine
,
and target type configMap
.
Namespace Selector
The target namespaceSelector
can be used for scoping which Namespaces targets
are synced to, supporting the field matchLabels
. Please see
here
for more information and how label selectors are configured.
If namespaceSelector
is empty, a bundle target will be synced to all
Namespaces.
Installation
First, install cert-manager to the
cluster, and then the trust operator. It is advised to run the trust operator in
the cert-manager
namespace.
helm repo add jetstack https://charts.jetstack.io --force-updatehelm upgrade -i -n cert-manager cert-manager jetstack/cert-manager --set installCRDs=true --wait --create-namespacehelm upgrade -i -n cert-manager cert-manager-trust jetstack/cert-manager-trust --wait
Quick Start Example
kubectl create -n cert-manager configmap source-1 --from-literal=cm-key=123kubectl create -n cert-manager secret generic source-2 --from-literal=sec-key=ABCkubectl apply -f - <<EOFapiVersion: trust.cert-manager.io/v1alpha1kind: Bundlemetadata:name: example-bundlespec:sources:- configMap:name: "source-1"key: "cm-key"- secret:name: "source-2"key: "sec-key"- inLine: |hello world!target:configMap:key: "target-key"EOF
kubectl get bundleNAME TARGET SYNCED REASON AGEexample-bundle target-key True Synced 5s
kubectl get cm -A --field-selector=metadata.name=example-bundleNAMESPACE NAME DATA AGEcert-manager example-bundle 1 2m18sdefault example-bundle 1 2m18skube-node-lease example-bundle 1 2m18skube-public example-bundle 1 2m18skube-system example-bundle 1 2m18slocal-path-storage example-bundle 1 2m18s
kubectl get cm -n kube-system example-bundle -o jsonpath="{.data['target-key']}"123ABChello world!