Certificate key pairs for EDA components
For EDA components, Cert-Manager (an x.509 certificate controller) generates, signs, and distributes the signed certificates and keys to the relevant pods.
EDA uses Cert-Manager injects the generated certificate and key into a volume mounted to the pod where the application is running. Using this driver ensures that the private key and corresponding signed certificate is unique to each pod and is stored on disk to the node on which that pod is scheduled. This driver also handles renewal of live certificates as needed.
The life cycle of the certificate key pair matches that of the pod; the certificate is issued when the pod is created and destroyed when the pod is terminated.
The example below shows a pod CR with two sets of certificate and key pairs that
requests the signing of each of the certificates from Cert-Manager. The CSI driver generates
a private key, request a certificate from Cert-Manager based on the volume
attributes.
apiVersion: v1
kind: Pod
metadata:
name: eda-internal-sample-app
labels:
app: eda-internal-sample-app
spec:
containers:
- name: eda-internal-sample-app
image:
volumeMounts:
- mountPath: "/var/run/eda/tls/external"
name: tls-external
- mountPath: "/var/run/eda/tls/internal"
name: tls-internal
volumes:
- name: tls-external
csi:
driver: csi.cert-manager.io
volumeAttributes:
csi.cert-manager.io/issuer-name: eda-external-ca
csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local
- name: tls-internal
csi:
driver: csi.cert-manager.io
volumeAttributes:
csi.cert-manager.io/issuer-name: eda-internal-ca
csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local