• Stars
    star
    136
  • Rank 267,670 (Top 6 %)
  • Language
    Shell
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Let's Encrypt certificates manager for Kubernetes

License Artifact HUB Donate

A Let's Encrypt certificates manager for Kubernetes

This chart use the acme.sh script to generate Let's Encrypt certifcates with DNS validation only; it uses Kubernetes Job to get and renew certificates.

Compatibility

Certs 1.x.y => Kubernetes < 1.22

Certs 2.x.y => Kubernetes >= 1.22

Ingress annotations

Name Example Description
acme.kubernetes.io/enable "true" Enable Certs on this ingress when value is set to "true".
Default value is empty.
acme.kubernetes.io/dns "dns_gd" Set the acme.sh --dns parameter: (see [https://github.com/Neilpang/acme.sh/wiki/dnsapi] for all --dns supported values).
Default value is empty.
acme.kubernetes.io/staging "true" Enable acme staging certificate validation when value is set to "true".
Default value is empty.
acme.kubernetes.io/add-args "--keylength ec-256" Add more arguments to acme.sh command used to generate certificates.
Default value is empty.
acme.kubernetes.io/cmd-to-use "acme.sh -h" Replace the acme.sh command to use for generating certificates.
Default value is empty.
acme.kubernetes.io/pre-cmd "acme.sh --register-account -m [email protected] --server zerossl" Command to use before launching the acme.sh command.
Default value is empty.
acme.kubernetes.io/post-cmd "acme.sh -h" Command to use after launching the acme.sh command.
Default value is empty.
acme.kubernetes.io/on-success-cmd "curl -X POST -H 'Content-type: application/json' --data '{"text":"Certs successful for #domains#"}' YOUR_WEBHOOK_URL" Command to use when certificate renew has been succeed.
Default value is empty.
acme.kubernetes.io/on-error-cmd "curl -X POST -H 'Content-type: application/json' --data '{"text":"Certs error for #domains#!"}' YOUR_WEBHOOK_URL" Command to use before launching the acme.sh command.
Default value is empty.

Chart configuration

Parameter Default Description
image.registry mathnao Set the docker image registry to use.
image.repository certs Set the docker image repository to use.
image.tag tag Set the docker image tag to use.
schedule 0 0,12 * * * Set the job schedule to run dns validation for certificate renew.
backoffLimit 1 Specify the number of retries before considering a job as failed.
activeDeadlineSeconds 600 Set an active deadline for terminatting a job.
ttlSecondsAfterFinished 120 Set a TTL for cleaning a job.
successfulJobsHistoryLimit 3 Specify how many completed jobs should be kept.
manageAllNamespaces false Whether or not certs should manage all namespaces for generating certificates.
namespacesWhitelist <empty> Run certs only for a namespace whitelist separated by a space. Useful when manageAllNamespaces is set to true.
debug false Display more logs when value is set to "true".
failedJobsHistoryLimit 1 Specify how many failed jobs should be kept.
env [] List all environment variables needed to run a acme.sh dns validation for certificate renew.
secretResourceNames [] Limit Role/ClusterRole access to a list of secrets. This should be a list of tls secrets used by ingress resources.
demo.enabled false Enable a demo backend for test purpose.
demo.image mathnao/light-test-server Set the docker image to use for the demo backend
demo.service.type ClusterIP Set the service type for the demo backend
demo.service.port 8080 Set the service port for the demo backend
demo.secretName demo-ingress-cert Set the secret name for storing generated certificates
demo.hosts - "example.com" Set the list of your hosts to generate Let's Encrypt certificate

Deployment example

1/ Have your Ingress Controller deployed and ready

2/ Register your ingress, for example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    acme.kubernetes.io/enable: "true"
    acme.kubernetes.io/dns: "dns_gd"
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - sslexample.foo.com
    secretName: testsecret-tls
  rules:
  - host: sslexample.foo.com
    http:
      paths:
      - path: /
        backend:
          serviceName: service1
          servicePort: 80

3/ Install Certs chart:

# Add the `Certs` Helm repository
helm repo add certs https://math-nao.github.io/certs/charts

# Update your local Helm chart repository cache
helm repo update

# Install the `Certs` Helm chart in the same namespace than your ingresses
helm install \
  --name certs \
  --namespace app \
  --values values.yaml \
  certs/certs

values.yaml file may content for example:

# schedule a Kubernetes Job twice a day, certificate is renewed only if it is going to expire soon
schedule: "0 2,14 * * *"

# add all necessary environment variables for acme.sh dns validation
# see https://github.com/Neilpang/acme.sh/wiki/dnsapi
env:
- name: GD_Key
  value: XXXX
- name: GD_Secret
  value: XXXX

Note: By setting EAB_KID and EAB_HMAC_KEY environment variables, zerossl CA will be used automatically and account will be registered with External Account Binding(EAB) credentials.

4/ Visit https://sslexample.foo.com webpage, you should have a valid Let's Encrypt certificate

Acknowledgments

acme.sh: https://github.com/Neilpang/acme.sh

License

This code is distributed under the Apache License, Version 2.0, see LICENSE for more information.

Donates

Your donation helps to maintain Certs:

Donate