Open Source Cert Manager

Overview

The F5’s Cloud-Native Network Functions (CNFs) components now support the Open Source (OSS) Cert Manager and its potential variations running in the cluster. This section provides information on how to install, configure, and work with the OSS Cert Manager.

Installation

• A fresh installation should have the OSS cert manager of the customer running in the cluster.
• Ensure issuer/cluster issuer are configured for f5’s components.
• Continue CNFs installation by installing all the CRDs.

OSS cert-manager installation and Issuer creation

Pre-requisites:

Following are the prerequisites to ensure before working with the OSS cert-manager:

• Cert-manager v1.15.0

  For information on how to install the cert-manager, see Cert Manager Installation.

• Issuer configuration

  For information on how to configure the cert-manager, see Cert Manager Configuration.

• Issuer

  Cluster admin must have Issuers and/or ClusterIssuers created and ready for the components to request certificate and key.

  Note: An Issuer is a namespaced resource, and it is not possible to issue certificates from an Issuer in a different namespace. You will need to create an Issuer in each namespace that you wish to obtain Certificates. For more information, see Issuer.

Supplemental

OSS cert-manager version validation

f5-version-validator:

• The f5-version-validator component acts as a K8s job as part of CNFs helm packages to fetch specific software versions running in the cluster and compares them with the support version ranges configured.
• The f5-version-validator will be triggered and returns a result if the OSS cert-manager is enabled during component installations and upgrades. The result indicates if the cluster has a compatible OSS cert-manager running or not.
• Installation/upgrade happens only if the validation passes and stops if the validation fails. The f5-version-validator pod log will provide the reasons for the failure.

Configure values file to enable OSS cert-manager support

• By default, CNF components expect f5-cert-manager for certificate and key management. If OSS cert-manager needs to be used, you must enable the OSS cert-manager and specify the Issuer or ClusterIssuer for minting the certificate in values.yaml file for the installation of each CNF component.

• Ensure you have OSS cert-manager running before installing the F5 CRDs and all other components.

• Set the serviceAccount and rbac parameters for non-admin users in values.yaml file to prevent the creation of RBAC rules during the installation of CNFs helm charts. These values must be changed if the cluster admin has created the RBAC rules and service account for non-admin users.

  versionValidator:
    name: f5-version-validator
    image:
      repository: "repo.f5.com/images"
    serviceAccount:
      create: false
      name: f5-version-validator
    rbac:
      create: false
    ```
  

• Following are the examples of values.yaml files for all CRD helm packages:

  For CRD installation:

  • Enable cert manager external

  • Provide version validator container image repository

  • CRD helm chart installation:

    global:
      certmgr:
        external: true
    versionValidator:
      name: f5-version-validator
      image:
        repository: "repo.f5.com/images"
    conversion:
      namespace: cnf-crdconversion
    

  For other helm installations (all CNF components):

  • Enable cert manager external

  • Specify issuer information (issuer or clusterIssuer)

  • Provide version validator container image repo

  • Refer the existing issuer:

    global:
      certmgr:
        external: true
        issuerRef:
          name: your_issuer_name
          kind: Issuer
          group: cert-manager.io
    versionValidator:
      name: f5-version-validator
      image:
        repository: "repo.f5.com/images"
    

    NOTE: Create the issuer in the same namespace as your component installation namespace.

  • Refer the exisiting ClusterIssuers:

    global:
      certmgr:
        external: true
        issuerRef:
          name: your_cluster_issuer_name
          kind: ClusterIssuer
          group: cert-manager.io
    versionValidator:
      name: f5-version-validator
      image:
        repository: "repo.f5.com/images"
    

Work with OSS cert-manager

• Verify whether the K8s secret contains a valid certificate and key:

  • If yes, check cert consumer loading/reloading certificate process same as with f5-cert-manager.

  • If no, check certificate, certificate request, issuer, clusterissuer resources and also see logs from OSS cert-manager pods.

    Following are some example outputs of expected status of Certificate resource:

    Example 1:

    $ kubectl get certificate tls-f5ingress-grpc-clt -o wide
    NAME                     READY   SECRET                          ISSUER                STATUS                                          AGE
    tls-f5ingress-grpc-clt   True    tls-f5ingress-grpc-clt-secret   default-cert-issuer   Certificate is up to date and has not expired   20s
    

    Example 2:

    $ kubectl get secret tls-f5ingress-grpc-clt-secret
    NAME                            TYPE                DATA   AGE
    tls-f5ingress-grpc-clt-secret   kubernetes.io/tls   3      25s
    

• If both f5-cert-manager and oss-cert-manager CRDs are installed, then the resource names will work only for one of them. For example, for resource names such as certificate, issuer, and clusterIssuer, the user has to give the resource and the group combination to specify the CRD.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.