Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Cloudflare’s Origin CA Issuer: an Extension to the K8s cert-manager

Cloudflare’s Origin CA Issuer: an Extension to the K8s cert-manager

This item in japanese

Cloudflare has released Origin CA Issuer, an extension to cert-manager, a native Kubernetes certificate management controller. Integrating with Cloudflare Origin CA, the extension makes it easier to create and renew Cloudflare Origin Certificates.

For many years, Cloudflare has recommended that site owners install a TLS certificate on their web servers so that they can encrypt traffic from the content delivery network (CDN) endpoint to the origin. However, implementing this as a site owner is not straightforward.

Acknowledging the challenges with certificate maintenance on a Kubernetes cluster, Terin Stock, software engineer at Cloudflare, discussed the steps required to integrate the Origin CA in a blog post. Supported on Kubernetes 1.16 or newer, the origin-ca-issuer installation requires permissions to create Custom Resources Definitions (CRDs) in the target cluster.

To create a binding between cert-manager and Cloudflare API for a given account, engineers will need to create an OriginIssuer resource. In a given Kubernetes Cluster, different Cloudflare accounts may connect different issuers.

kind: OriginIssuer
  name: prod-issuer
  namespace: default
  signatureType: OriginECC
      name: service-key
      key: key

The above code block creates OriginIssuer with the name "prod-issuer," with the secret "service-key" in the same namespace, which authenticates Cloudflare API.

Next, cert-manager is used to create a Certificate. Certificate is provided with details such as the required domains, including wildcards, the certificate's validity, and the next renewal timeline.

kind: Certificate
  name: example-com
  namespace: default
  # The secret name where cert-manager
  # should store the signed certificate.
  secretName: example-com-tls
  # Duration of the certificate.
  duration: 168h
  # Renew a day before the certificate expiration.
  renewBefore: 24h
  # Reference the Origin CA Issuer you created above,
  # which must be in the same namespace.
    kind: OriginIssuer
    name: prod-issuer

cert-manager then begins managing the lifecycle of this certificate, proceeds with a certificate signature request (CSR), and builds a certificate request that will be processed by the origin-ca-issuer.

Once the Cloudflare API signs the certificate, it is made available with the private key in the Kuberenetes secret provided in the secretName field. This certificate can be used on servers proxied behind Cloudflare.

If there are Ingress resources across your cluster, cert-manager has Ingress support to manage Certificate resources based on Ingress resource automatically.

Stock also described how Cloudflare has used controller-runtime project to build an external origin-ca-issuer as well.


The Tech community on Twitter took notice of this release. Calling this a "long standing" feature request, James Munnelly tweeted, "Great to see a long standing feature request for cert-manager fulfilled by @Cloudflare themselves! Great work @terinjokes (and the rest of the CF team!)"

Jetstack, a professional Kubernetes services company based in London, tweeted, "... Great to see this one from @Cloudflare, enabling easy access from #kubernetes to certificates issued from their Origin CA. A much-requested feature in the community - thanks to the team at @Cloudflare."

Our readers can learn more about origin-ca-issuer on GitHub.

Rate this Article