2021-02-03 - ONAP: Enrolling X.509 certificates from CMPv2 server using K8s Cert-Manager

Topic Leader(s)

• Pawel Baniewski
• Damian Nowak

Topic Overview

A presentation of ONAP specific add-on to K8s Cert-Manager which gives possibility to enroll X.509 certificates from CMPv2 servers

Slides & Recording

2021-02-03 - ONAP_Enrolling X.509 certificates from CMPv2 server using K8s Cert-Manager.mp4

Minutes

• Cert-Manager is commonly used as solution to enroll X.509 certificates to K8s workloads
• Cert-Manager doesn't support CMPv2 protocol natively, but it supports idea of external issuers, which could extend Cert-Manager capabilities
• Within ONAP Honolulu release Nokia implemented CMPv2 external issuer, which extends Cert-Manager with capability to enroll X.509 certificates from CMPv2 servers
  • Such integration uses already implemented CMPv2 CertService
• Ingress resources can be integrated with Cert-Manager, so they have now also a capability to get certificates from CMPv2 servers
• Istio Service Mesh integrates with Cert-Manager, so it has now also a capability to get certificates from CMPv2 servers

Action Items

• Need to validate whole solution on K8 1.19