A Kubernetes operator for managing mTLS certificates with automatic client certificate generation and revocation capabilities.
- Automatic client certificate generation for tenants
- Certificate chain management
- Certificate revocation support
- Integration with cert-manager
- Automatic CA chain updates
- Support for certificate rotation
- Built-in certificate validation
- Kubernetes cluster (v1.19+)
- cert-manager (v1.5+)
- NGINX Ingress Controller with mTLS support
kubectlconfigured to communicate with your cluster
-
Install cert-manager:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.5.0/cert-manager.yaml
-
Deploy the root CA:
kubectl apply -f config/dependencies/cert-manager/root-ca.yaml
-
Deploy the operator:
kubectl apply -f config/samples/operator.yaml
-
Create a tenant:
kubectl apply -f config/samples/mtls_v1_tenant.yaml
apiVersion: mtls.invoisight.com/v1
kind: Tenant
metadata:
name: example-tenant
spec:
name: example-tenant
revoked: falsekubectl patch tenant example-tenant --type=merge -p '{"spec":{"revoked":true}}'The repository includes a test server and E2E testing script:
# Deploy test server
kubectl apply -f config/samples/test-server/
# Run E2E tests
./test/e2e/test-mtls.shThe operator follows a controller pattern and integrates with cert-manager for certificate lifecycle management:
TenantController: Manages the tenant lifecycleCertificateService: Handles certificate operationsCAChainService: Manages the CA chain- Integration with cert-manager for certificate issuance
- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a new Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
See the usage guide for common issues and solutions.
For bugs and feature requests, please create an issue on the GitHub repository.