GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → guilhem → freeipa-issuer

guilhem / freeipa-issuer

Licence: Apache-2.0 license
A cert-manager external issuer for FreeIPA

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

kubernetescertificatepki

Projects that are alternatives of or similar to freeipa-issuer

CertificateDsc
DSC resources to simplify administration of certificates on a Windows Server.
Stars: ✭ 103 (+368.18%)
Mutual labels:  certificate, pki
Certlint
X.509 certificate linter, written in Go
Stars: ✭ 60 (+172.73%)
Mutual labels:  certificate, pki
Xipki
Highly scalable and high-performance open source PKI (CA and OCSP responder). Minimal dependencies, No-JPA, No-Spring
Stars: ✭ 311 (+1313.64%)
Mutual labels:  certificate, pki
qdigidoc
DEPRECATED DigiDoc3 Client is a program that can be used to sign digitally with ID-card and Mobile-ID, check the validity of digital signatures and open and save documents inside the signature container.
Stars: ✭ 25 (+13.64%)
Mutual labels:  certificate, pki
Vault Openvpn
Small wrapper utility to manage OpenVPN configuration combined with a Vault PKI
Stars: ✭ 112 (+409.09%)
Mutual labels:  certificate, pki
openssl ca
openssl_ca with QT GUI
Stars: ✭ 16 (-27.27%)
Mutual labels:  certificate, pki
Pki.js
PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
Stars: ✭ 960 (+4263.64%)
Mutual labels:  certificate, pki
x509sak
X.509 Swiss Army Knife is a toolkit atop OpenSSL to ease generation of CAs and aid white-hat pentesting
Stars: ✭ 23 (+4.55%)
Mutual labels:  certificate, pki
Cfrpki
Cloudflare's RPKI Toolbox
Stars: ✭ 104 (+372.73%)
Mutual labels:  certificate, pki
Pki
The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
Stars: ✭ 97 (+340.91%)
Mutual labels:  certificate, pki
pki-manager
IT Freelancers : Manage small PKI for multiple projects (or clients) with 2 bash scripts
Stars: ✭ 36 (+63.64%)
Mutual labels:  certificate, pki
Pspki
PowerShell PKI Module
Stars: ✭ 189 (+759.09%)
Mutual labels:  certificate, pki
Sharkey
Sharkey is a service for managing certificates for use by OpenSSH
Stars: ✭ 360 (+1536.36%)
Mutual labels:  certificate, pki
X509
Elixir package for working with X.509 certificates, Certificate Signing Requests (CSRs), Certificate Revocation Lists (CRLs) and RSA/ECC key pairs
Stars: ✭ 68 (+209.09%)
Mutual labels:  certificate, pki
Aspnetcorecertificates
Certificate Manager in .NET Core for creating and using X509 certificates
Stars: ✭ 135 (+513.64%)
Mutual labels:  certificate, pki
Routinator
An RPKI Validator written in Rust
Stars: ✭ 215 (+877.27%)
Mutual labels:  certificate, pki
Awesome Certificates
List of free dev courses with certificates & badges.
Stars: ✭ 185 (+740.91%)
Mutual labels:  certificate
Gke Managed Certs
Managed Certificates for Kubernetes clusters using GCLB
Stars: ✭ 214 (+872.73%)
Mutual labels:  certificate
Google Mobile Web Specialist Certification Guide
If you are looking for becoming a Mobile Web Specialist by Google, this guide will be your best friend in your journey
Stars: ✭ 183 (+731.82%)
Mutual labels:  certificate
Nginx Proxy Automation
Automated docker nginx proxy integrated with letsencrypt.
Stars: ✭ 2,302 (+10363.64%)
Mutual labels:  certificate
View All Similar Projects ➔

FreeIPA Issuer

CodeQL

A cert-manager external issuer to be used with FreeIPA.

Prerequisite

  • kubernetes
  • cert-manager 1.0+
  • kustomize
  • optional: Kubernetes worker nodes adopted into FreeIPA domain (for use with self signed certificate)

Install

kustomize

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
  name: freeipa-issuer

commonLabels:
  app: freeipa-issuer

resources:
  - https://github.com/guilhem/freeipa-issuer/config/default

Configuration

examples

Issuer

An issuer is namespaced

apiVersion: certmanager.freeipa.org/v1beta1
kind: Issuer
metadata:
  name: issuer-sample
spec:
  host: freeipa.example.test
  user:
    name: freeipa-auth
    key: user
  password:
    name: freeipa-auth
    key: password

  # Optionals
  serviceName: HTTP
  addHost: true
  addService: true
  addPrincipal: true
  ca: ipa
  # Do not check certificate of IPA server connection
  insecure: true # unless you can create your own container and inject IPA server CA as trusted.
  # This fixes a bug when adding a service
  ignoreError: true

---
apiVersion: v1
kind: Secret
metadata:
  name: freeipa-auth
data:
  user: b64value
  password: b64value

Disable Approval Check

The FreeIPA Issuer will wait for CertificateRequests to have an approved condition set before signing. If using an older version of cert-manager (pre v1.3), you can disable this check by supplying the command line flag -disable-approved-check to the Issuer Deployment.

Usage

Secure an Ingress resource

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
    #Specify the name of the issuer to use must be in the same namespace
    cert-manager.io/issuer: freeipa-issuer
    #The group of the out of tree issuer is needed for cert-manager to find it
    cert-manager.io/issuer-group: certmanager.freeipa.org
    #Specify a common name for the certificate
    cert-manager.io/common-name: www.example.com

spec:
  #placing a host in the TLS config will indicate a certificate should be created
  tls:
    - hosts:
      - www.example.com
      #The certificate will be stored in this secret
      secretName: example-cert
  rules:
    - host: www.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: backend
              servicePort: 80
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].