install.md

Installing the Keyfactor EJBCA Issuer for cert-manager

Prerequisites

Before starting, ensure that the following requirements are met

• Git
• Make
• Docker >= v20.10.0
• Kubectl >= v1.11.3
• Kubernetes >= v1.19
  • Kubernetes, Minikube, or Kind
• Keyfactor EJBCA >= v7.7
• cert-manager >= v1.11.0
• cmctl
• Keyfactor EJBCA is properly configured according to the product docs.
• EJBCA REST API with the following API endpoints:
  • /ejbca-rest-api/v1/certificate/pkcs10enroll
  • /ejbca/ejbca-rest-api/v1/certificate/status

Additionally, verify that at least one Kubernetes node is running by running the following command:

kubectl get nodes

A static installation of cert-manager can be installed with the following command:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

📌 Running the static cert-manager configuration is not recommended for production use. For more information, see Installing cert-manager.

Installation from Helm Chart

The cert-manager external issuer for Keyfactor EJBCA is installed using a Helm chart. The chart is available in the EJBCA cert-manager Helm repository.

1. Add the Helm repository:

   helm repo add ejbca-issuer https://keyfactor.github.io/ejbca-cert-manager-issuer
   helm repo update

2. Then, install the chart:

   helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
       --namespace ejbca-issuer-system \
       --create-namespace \
       # --set image.pullPolicy=Never # Only required if using a local image

   1. Modifications can be made by overriding the default values in the values.yaml file with the --set flag. For example, to override the secretConfig.useClusterRoleForSecretAccess to configure the chart to use a cluster role for secret access, run the following command:

      helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
          --namespace ejbca-issuer-system \
          --create-namespace \
          --set replicaCount=2

   2. Modifications can also be made by modifying the values.yaml file directly. For example, to override the secretConfig.useClusterRoleForSecretAccess value to configure the chart to use a cluster role for secret access, modify the secretConfig.useClusterRoleForSecretAccess value in the values.yaml file by creating an override file:

      cat <<EOF > override.yaml
      secretConfig:
          useClusterRoleForSecretAccess: true
      EOF

      Then, use the -f flag to specify the values.yaml file:

      helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
          --namespace command-issuer-system \
          -f override.yaml

Next, complete the Usage steps to configure the cert-manager external issuer for Keyfactor EJBCA.