helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon temporalio

[Feature Request] generate TLS certificates using cert-manager

Open luismacosta opened this issue 10 months ago • 4 comments

What was changed

Add certificates.yaml + secret.yaml to templates Add README.md

Why?

generate certificates using cert-manager

How was this tested

  • Deployed cert-manager helm-chart
  • Deployed temporal helm chart, 0.57.0, using temporal/charts/temporal/tests/certificates.yaml as values.yaml, with my own tls.crt + tls.key

Cert-manager will:

  • Use the temporal-issuer (which refers to the CA).
  • Ask the CA (from the tls-certs secret) to sign a new certificate.
  • Create the temporal-tls-certs secret in the same namespace — this secret will contain:
    • tls.crt: the signed certificate
    • tls.key: the private key
    • Optionally, ca.crt: the CA certificate (if configured)
➜  ~ kubectl get secret -n temporal

NAME                          TYPE                   DATA       AGE
temporal-tls-certs            kubernetes.io/tls      3          3h38m
tls-certs                     Opaque                 2          153m


➜  ~ kubectl get certificate  -n temporal

NAME                READY          SECRET                       AGE
temporal-cert       True           temporal-tls-certs           5h35m


➜  ~ kubectl get certificaterequests  -n temporal-data

NAME              APPROVED   DENIED   READY   ISSUER            REQUESTER                                                                      AGE
temporal-cert-1   True                True    temporal-issuer   system:serviceaccount:cert-manager:test-cert-manager  5h

@robholland Can you please review? Thanks

luismacosta avatar Mar 11 '25 22:03 luismacosta

I have no prior experience with cert-manager, and while I was able to deploy that into Kubernetes, it will take me some time to read through its documentation and learn how to generate certificates. As I was waiting on my deployment to come online, I read through the code and found a few typos, for which I have provided suggestions.

I'll need to do a more detailed review, but these typos will need to be fixed so I wanted to point them out now.

Thanks Tom. typos corrected.

luismacosta avatar Apr 08 '25 09:04 luismacosta

Hello @PhillypHenning @robholland @tomwheeler

Can you please review and merge if everything looks good to you? Thanks.

luiscosta18 avatar Aug 21 '25 17:08 luiscosta18

Having just gone through the process of creating certs and CAs for Temporal, this is a welcome piece of work. Thanks @luismacosta! Can you elaborate a little on what isCA is doing here?

spanktar avatar Sep 12 '25 21:09 spanktar

Having just gone through the process of creating certs and CAs for Temporal, this is a welcome piece of work. Thanks @luismacosta! Can you elaborate a little on what isCA is doing here?

isCA: true The resulting certificate will have the CA bit set in its extensions (BasicConstraints: CA:TRUE). This means the certificate can be used to sign and issue other certificates. Essentially, it becomes a root or intermediate CA certificate.

isCA: false (default) The certificate is treated as a leaf/end-entity certificate, used for things like securing HTTPS connections (TLS), client authentication, etc. It cannot sign other certificates.

luiscosta18 avatar Sep 13 '25 12:09 luiscosta18