Certificate key pairs for EDA components
For EDA components, Cert-Manager (an x.509 certificate controller) generates, signs, and distributes the signed certificates and keys to the relevant pods.
EDA uses Cert-Manager to inject the generated certificate and key into a volume mounted to the pod where the application is running. Using this driver ensures that the private key and corresponding signed certificate is unique to each pod and is stored on disk to the node on which that pod is scheduled. This driver also handles renewal of live certificates as needed.
The life cycle of the certificate key pair matches that of the pod; the certificate is issued when the pod is created and destroyed when the pod is terminated.
The example below shows a Pod CR with two sets of certificate and
key pairs that requests the signing of each of the certificates from Cert-Manager. The CSI
driver generates a private key and requests a certificate from Cert-Manager based on the
volumeAttributes settings.
apiVersion: v1
kind: Pod
metadata:
name: eda-internal-sample-app
labels:
app: eda-internal-sample-app
spec:
containers:
- name: eda-internal-sample-app
image:
volumeMounts:
- mountPath: "/var/run/eda/tls/external"
name: tls-external
- mountPath: "/var/run/eda/tls/internal"
name: tls-internal
volumes:
- name: tls-external
csi:
driver: csi.cert-manager.io
volumeAttributes:
csi.cert-manager.io/issuer-name: eda-external-ca
csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local
- name: tls-internal
csi:
driver: csi.cert-manager.io
volumeAttributes:
csi.cert-manager.io/issuer-name: eda-internal-ca
csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local