essendi-xc-issuer is a cert-manager's CertificateRequest controller that uses essendi xc to sign certificates. essendi xc is a service that provides multiple interfaces for requesting certificates from different CAs, like Microsoft ADCS or public CAs like D-Trust, DigiCert, QuoVadis, SwissSign. essendi xc provides both ACME, SCEP and proprietary REST API; This implementation is a HTTP client that interacts with the essendi xc API sending appropriately prepared HTTP requests and interpreting the server's HTTP responses.
Current operator version was tested with the following versions of the dependencies:
| Component | Tested versions |
|---|---|
| Kubernetes | 1.29 .. 1.34 |
| cert-manager | 1.15 .. 1.19 |
| essendi xc | 1.26.2 - 2.2.3 |
and currently supports CertificateRequest CRD API version v1 only.
The essendi xc service data can be configured in Issuer or ClusterIssuer CRD objects e.g.:
apiVersion: essendixc.angeloxx.ch/v1alpha1
kind: ClusterIssuer
metadata:
name: test-integration
spec:
authSecretName: <auth-secret-reference-in-cert-manager-namespace>
ignoreHostInApiResponse: true|false
profileName: <issuing-profile-name>
subscriberName: <subscriber-name>
url: <essendi-xc-api-url>
Required parameters are:
optionally you can define also a set of custom fields that will be passed to the essendi xc API and added as metadata to all the requests. Custom fields must be previously defined in the essendi xc, then the CRD can be used to set it, eg:
apiVersion: essendixc.angeloxx.ch/v1alpha1
kind: ClusterIssuer
metadata:
name: test-integration
spec:
authSecretName: <auth-secret-reference-in-cert-manager-namespace>
ignoreHostInApiResponse: true|false
profileName: <issuing-profile-name>
subscriberName: <subscriber-name>
url: <essendi-xc-api-url>
customFields:
- name: Application
value: '{{ .Csr.CommonName }}'
- name: DeploymentTarget
value: Kubernetes
- name: Environment
value: Testing Environment
- name: NotificationMail
value: [email protected]
You have also to define the secret containing the credentials used to authenticate with the essendi xc API. The secret must be in the same namespace as the cert-manager controller:
apiVersion: v1
kind: Secret
metadata:
name: essendixc-cert-manager
namespace: cert-manager
data:
client-id: <essendi-xc-client-id>
client-secret: <client-secret>
signature-key: <request-signature-key>
token: eyJhbGciOiJIUzI1NiIsInR5cCIgOi[...]
The secret must be Opaque and contain the following fields:
CustomFields can be used to pass additional information to the Essendi-XC API. The customFields are rendered using Go templates and you can use the following variables:
We recommend to use the Helm chart to install the Essendi-XC Issuer. The Helm chart is available in the cert-manager Helm repository.
helm install essendi-xc-issuer oci://registry-1.docker.io/angeloxx/cert-manager-essendi-xc-issuer --version 0.2.1-helm --namespace cert-manager
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Content type
Helm
Digest
sha256:e208903d8…
Size
4.8 kB
Last updated
about 2 months ago
helm pull oci://registry-1.docker.io/angeloxx/cert-manager-essendi-xc-issuer --version 0.0.0-latest-helm