Certificate Management
Overview#
Rotating Certificates and Keys in Kubernetes setup
Note
janssen-config-cm in all examples refer to jans installation configuration parameters where janssen is the helm-release-name.
Web (Ingress)#
| Associated certificates and keys |
|---|
| /etc/certs/web_https.crt |
| /etc/certs/web_https.key |
Rotate#
-
Create a file named
web-key-rotation.yamlwith the following contents :apiVersion: batch/v1 kind: Job metadata: name: web-key-rotation spec: template: metadata: annotations: sidecar.istio.io/inject: "false" spec: restartPolicy: Never containers: - name: web-key-rotation image: janssenproject/certmanager:1.0.10-1 envFrom: - configMapRef: name: janssen-config-cm # This may be differnet in Helm args: ["patch", "web", "--opts", "valid-to:365"] -
Apply job
kubectl apply -f web-key-rotation.yaml -n <jans-namespace>
Load from existing source#
Note
This will load web_https.crt and web_https.key from /etc/certs.
-
Create a secret with
web_https.crtandweb_https.key. Note that this may already exist in your deployment.kubectl create secret generic web-cert-key --from-file=web_https.crt --from-file=web_https.key -n <jans-namespace>` -
Create a file named
load-web-key-rotation.yamlwith the following contents :apiVersion: batch/v1 kind: Job metadata: name: load-web-key-rotation spec: template: metadata: annotations: sidecar.istio.io/inject: "false" spec: restartPolicy: Never volumes: - name: web-cert secret: secretName: web-cert-key items: - key: web_https.crt path: web_https.crt - name: web-key secret: secretName: web-cert-key items: - key: web_https.key path: web_https.key containers: - name: load-web-key-rotation image: janssenproject/certmanager:1.0.10-1 envFrom: - configMapRef: name: janssen-config-cm #This may be differnet in Helm volumeMounts: - name: web-cert mountPath: /etc/certs/web_https.crt subPath: web_https.crt - name: web-key mountPath: /etc/certs/web_https.key subPath: web_https.key args: ["patch", "web", "--opts", "source:from-files"] -
Apply job
kubectl apply -f load-web-key-rotation.yaml -n <jans-namespace>
Auth-server#
Warning
key rotation CronJob is usually installed with jans. Please make sure before deploying using kubectl get cronjobs -n <jans-namespace>
| Associated certificates and keys |
|---|
| /etc/certs/auth-keys.json |
| /etc/certs/auth-keys.jks |
-
Create a file named
auth-key-rotation.yamlwith the following contents :kind: CronJob apiVersion: batch/v1 metadata: name: auth-key-rotation spec: schedule: "0 */48 * * *" concurrencyPolicy: Forbid jobTemplate: spec: template: metadata: annotations: sidecar.istio.io/inject: "false" spec: containers: - name: auth-key-rotation image: janssenproject/certmanager:1.0.10-1 resources: requests: memory: "300Mi" cpu: "300m" limits: memory: "300Mi" cpu: "300m" envFrom: - configMapRef: name: janssen-config-cm args: ["patch", "auth", "--opts", "interval:48", "--opts", "key-strategy:OLDER", "--opts", "privkey-push-delay:300", "--opts", "privkey-push-strategy:NEWER"] restartPolicy: Never -
Apply cron job
kubectl apply -f auth-key-rotation.yaml -n <jans-namespace>
LDAP#
Note
Subject Alt Name must match opendj service.
| Associated certificates and keys |
|---|
| /etc/certs/opendj.crt |
| /etc/certs/opendj.key |
| /etc/certs/opendj.pem |
| /etc/certs/opendj.pkcs12 |
-
Create a file named
ldap-key-rotation.yamlwith the following contents :apiVersion: batch/v1 kind: Job metadata: name: ldap-key-rotation spec: template: metadata: annotations: sidecar.istio.io/inject: "false" spec: restartPolicy: Never containers: - name: ldap-key-rotation image: janssenproject/certmanager:1.0.10-1 envFrom: - configMapRef: name: janssen-config-cm args: ["patch", "ldap", "--opts", "subj-alt-name:opendj", "--opts", "valid-to:365"] -
Apply job
kubectl apply -f ldap-key-rotation.yaml -n <jans-namespace>
Created: 2022-07-21