trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters!
It takes a list of trusted certificates which you specify and combines them into a bundle which you can trust directly in your applications.
Supported sources include a public trust bundle similar to what you get from your Operating System.
Installation instructions and API reference documentation are available on the cert-manager website.
If you've got Docker installed and you just want to play with trust-manager as soon as possible, we provide
a demo
command to quickly get a Kind cluster running trust-manager.
First, clone the repo then run make demo
:
git clone --single-branch https://github.com/cert-manager/trust-manager trust-manager
cd trust-manager
make demo
# kubeconfig is in ./bin/kubeconfig.yaml
# kind cluster is called "trust"
The demo installation uses Helm, and roughly matches what you'd get by installing trust-manager into your own cluster using Helm - although it uses locally-built images rather than the ones we publish publicly.
The simplest useful Bundle to start with is likely to be one using default CAs, which are available from trust-manager 0.4.0+.
This default CA package is based on Debian's ca-certificates
package, and so matches what you'd expect to see in a Debian
container or VM.
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: trust-manager-bundle
spec:
sources:
- useDefaultCAs: true
target:
configMap:
key: "bundle.pem"
This Bundle will lead to a ConfigMap called trust-manager-bundle
containing the default CAs being created in all namespaces, ready to be mounted
and used by your applications.
Your ConfigMap will automatically be updated if you change your bundle, too - so to update it, simply update your Bundle!
For more details see the trust-manager documentation.