Create new certificates with cert manager for a new user #128253

Edregol · 2024-08-03T07:59:16Z

Edregol
Aug 3, 2024

COCKROACH_DB_CHART_URL = "https://charts.cockroachdb.com/"
COCKROACH_DB_CHART_NAME = "cockroachdb"
COCKROACH_DB_CHART_VERSION = "13.0.2"
CERT_MANANGER_CHART_URL = "https://charts.jetstack.io"
CERT_MANANGER_CHART_NAME = "cert-manager"
CERT_MANANGER_CHART_VERSION = "1.15.1"

Hi everyone!

I hope you can help me out here. I've deployed CockroachDB and Cert-Mananger using Helm. Root login works with the certificates generated by the cockroach Helm chart.

Now I want to generate a new client certificate for a user that is not root and I am a bit at a loss as to how to do that. Do I just use cockroach cert... or do I need to create Cert-Manager resources? And How do I tell cockroach that there is a new client certificate? I'm looking for an approach that allows me to fully automate this with Helm.

Thanks in advance!
Cheers!

echozio · 2024-08-15T18:04:47Z

echozio
Aug 15, 2024

You can use cert-manager with an issuer like this:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cockroachdb
spec:
  ca:
    secretName: cockroachdb-issuer
---
apiVersion: v1
kind: Secret
metadata:
  name: cockroachdb-issuer
stringData:
  tls.crt: ...
  tls.key: ...

fill in the secret with your cockroachdb CA cert and key, then create a client certificate (commonName should match the role name):

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-user
spec:
  commonName: my_username
  issuerRef:
    group: cert-manager.io
    kind: Issuer
    name: cockroachdb
  privateKey:
    encoding: PKCS8
  secretName: my-user-credentials

and now you should be able to log in with the key+cert in the my-user-credentials secret.

And How do I tell cockroach that there is a new client certificate?

As long as it's signed by the right CA and the CN matches a role name that's all you need

I'm looking for an approach that allows me to fully automate this with Helm.

At least when using the cockroach operator the secret(s) containing the CA cert and key don't have the structure that cert-manager expects for an issuer. How you solve that is gonna be highly dependent on the tooling you use for secrets and/or automation.

One fairly straightforward, fully automated way to do it would be to use terraform (e.g. with crossplane) to create a new secret from the existing ones.

Either way, once you've set up the issuer you can generate more client certs like above with helm or anything else.

1 reply

Edregol Aug 16, 2024
Author

Thank you! I'll give that a try asap.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create new certificates with cert manager for a new user #128253

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Create new certificates with cert manager for a new user #128253

Edregol Aug 3, 2024

Replies: 1 comment · 1 reply

echozio Aug 15, 2024

Edregol Aug 16, 2024 Author

Edregol
Aug 3, 2024

Replies: 1 comment 1 reply

echozio
Aug 15, 2024

Edregol Aug 16, 2024
Author