The kubernetes instructions for deploying buildkit suggest creating certificates with this shell script:
sh SAN=$@ SAN_CLIENT=client
mkdir -p
kubectl create secret generic ${PRODUCT}-daemon-certs --dry-run=client -o yaml --from-file=./daemon >${PRODUCT}-daemon-certs.yaml
kubectl create secret generic ${PRODUCT}-client-certs --dry-run=client -o yaml --from-file=./client >${PRODUCT}-client-certs.yaml
)
as I want my deployment to be fully declarative, how do I achieve the same thing (creating the certificates and secret) but using cert-manager which is already installed on my cluster?
What that script is doing is basically three things:
-
Creating a local Certificate Authority (via
mkcert) -
Issing two certificates:
- one for the BuildKit daemon
- one for the client (mutual TLS)
-
Packaging them into Kubernetes Secrets
With cert-manager, you can make all of this declarative by replacing each step with Kubernetes resources.
Instead of mkcert, you define a CA inside the cluster.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: buildkit-selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: buildkit-ca
spec:
isCA: true
commonName: buildkit-ca
secretName: buildkit-ca-secret
issuerRef:
name: buildkit-selfsigned
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: buildkit-ca-issuer
spec:
ca:
secretName: buildkit-ca-secretThis replaces:
mkcert ...This replaces:
mkcert -cert-file daemon/cert.pem -key-file daemon/key.pem ${SAN}Example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: buildkit-daemon
spec:
secretName: buildkit-daemon-certs
issuerRef:
name: buildkit-ca-issuer
commonName: buildkitd
dnsNames:
- buildkitd
- buildkitd.default.svc
- buildkitd.default.svc.cluster.local
usages:
- server auth
- client authThis will create a Secret:
buildkit-daemon-certs
tls.crt
tls.key
ca.crt
This replaces:
mkcert -client ...apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: buildkit-client
spec:
secretName: buildkit-client-certs
issuerRef:
name: buildkit-ca-issuer
commonName: client
usages:
- client authYour script creates secrets like:
daemon/
cert.pem
key.pem
ca.pem
But cert-manager creates:
tls.crt
tls.key
ca.crt
Configure BuildKit to use:
tls.crtinstead ofcert.pemtls.keyinstead ofkey.pemca.crtinstead ofca.pem
This is cleaner and avoids hacks.
Use something like:
- an
initContainer - or projected volume with
items
Example:
volumes:
- name: daemon-certs
secret:
secretName: buildkit-daemon-certs
items:
- key: tls.crt
path: cert.pem
- key: tls.key
path: key.pem
- key: ca.crt
path: ca.pemYou now have:
- CA →
Issuer - Certificates →
Certificate - Secrets → automatically managed
- Rotation → automatic (huge win over mkcert script)
| mkcert script | cert-manager equivalent |
|---|---|
| Local CA files | Issuer + Certificate (isCA) |
| Manual cert generation | Certificate resources |
| Manual secret creation | automatic via secretName |
| Static | auto-renewing |
- Certificates rotate automatically
- No CI/CD scripting needed
- No local dependencies (
mkcert) - Fully GitOps-compatible
If you want, I can tailor this specifically to your BuildKit deployment (e.g., Helm values or Pod spec) so it plugs in directly.