# Autocert **Autocert** is a kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers.

Animated terminal showing autocert in practice

To request a certificate simply annotate your pods with a name. Certificates are issued by a private **internal certificate authority** that runs on your cluster and are mounted at `/var/run/autocert.step.sm` along with a corresponding private key and root certificate. TLS (e.g., HTTPS) is the most widely deployed cryptographic protocol in the world. Mutual TLS (mTLS) provides end-to-end security for service-to-service communication and can **replace complex VPNs** to secure communication into, out of, and between kubernetes clusters. But **to use mTLS you need certificates issued by your own certificate authority (CA)**. Building and operating a CA, issuing certificates, and making sure they're renewed before they expire is tricky. Autocert does all of this for you. ## Key Features * A complete public key infrastructure that you control for your kubernetes clusters * Certificate authority that's easy to initialize and install * Automatic injection of certificates and keys in annotated containers * Enable on a per-namespace basis * Namespaced installation to restrict access to privileged CA and provisioner containers * Ability to run subordinate to an existing public key infrastructure * Supports federatation with other roots * Short-lived certificates * Automatic renewal * Uses your own certificate authority -- you control who or what gets a certificate ## Getting Started These instructions will get `autocert` installed quickly on an existing kubernetes cluster. ### Prerequisites Make sure you've [`installed step`](https://github.com/smallstep/cli#installing) version `0.8.3` or later: ```bash $ step version Smallstep CLI/0.8.3 (darwin/amd64) Release Date: 2019-01-16 01:46 UTC ``` You'll also need `kubectl` and a kubernetes cluster running version `1.9` or later with [webhook admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) enabled: ```bash $ kubectl version --short Client Version: v1.13.1 Server Version: v1.10.11 $ kubectl api-versions | grep "admissionregistration.k8s.io/v1beta1" admissionregistration.k8s.io/v1beta1 ``` We'll be creating a new kubernetes namespace and setting up some RBAC rules during installation. You'll need appropriate permissions in your cluster (e.g., you may need to be cluster-admin). ```bash TODO: Check whether you have cluster permissions..? GKE instructions here if you don't have them. ``` In order to grant these permissions you may need to give yourself cluster-admin rights in your cluster. GKE, in particular, does not give the cluster owner these rights by default. You can give yourself cluster-admin rights by running: ```bash kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin \ --user $(gcloud config get-value account) ``` ### Install To install `step certificates` and `autocert` in one step run: ```bash $ kubectl run autocert-init -it --rm --image smallstep/autocert-init --restart Never ``` You may need to adjust the RBAC policies to run `autocert-init`: ```bash $ kubectl create clusterrolebinding autocert-init-binding --clusterrole cluster-admin --user "system:serviceaccount:default:default" ``` Once `autocert-init` is complete you can delete this binding: ```bash $ kubectl delete clusterrolebinding autocert-init-binding ``` You can also [install manually](INSTALL.md). ### Enable autocert To enable `autocert` for a namespace the `autocert.step.sm=enabled` label (the `autocert` webhook will not affect namespaces for which it is not enabled). To enable `autocert` for the default namespace run: ```bash $ kubectl label namespace default autocert.step.sm=enabled ``` To check which namespaces have `autocert` enabled run: ```bash $ kubectl get namespace -L autocert.step.sm NAME STATUS AGE AUTOCERT.STEP.SM default Active 59m enabled ... ``` ### Annotate pods In addition to enabling `autocert` for a namespace, pods must be annotated with their name for certificates to be injected. The annotated name will appear as the common name and SAN in the issued certificate. To trigger certificate injection pods must be annotated at creation time. You can do this in your deployment YAMLs: ```bash $ cat <