• This repository has been archived on 21/Dec/2019
  • Stars
    star
    115
  • Rank 305,916 (Top 7 %)
  • Language
    Kotlin
  • License
    MIT License
  • Created over 8 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Kubernetes controller to retrieve Let's Encrypt certificates based on service annotations (unmaintained)

Kubernetes Letsencrypt Controller

Build Status

This implements a Kubernetes controller that automatically requests and refreshes Letsencrypt certificates based on service annotations.

This controller currently supports Amazon Route 53 and Google Cloud DNS as the DNS targets.

Setup

Launch the controller into your cluster using

kubectl apply -f letsencrypt-controller.yaml

This will use a release or snapshot version (depending on your git checkout) hosted on my Docker Hub account.

The pod must run with the permissions required for updating records in the DNS zones that you maintain.

On AWS, consider using a project such as kube2iam to grant permissions to individual pods.

Please refer to the 'Building' section for using your own image.

Configuration

The controller currently supports three configuration options via environment variables:

  • ACME_URL: This can be set to an alternative ACME directory URL, for example the Letsencrypt staging server if you only want to test out the controller.
  • CLOUD_PLATFORM: This can be set to either GCP or AWS to override the automatic platform detection. You can use this to for example use Route53 as the DNS backend with a cluster running on Google's Cloud Platform. If you override this option you must provide credentials for the DNS backend, for example via the environment variables for the Google Cloud Java SDK or the AWS Java SDK
  • LOG_LEVEL: This can be used to set the log level to something other than the default (INFO).

Usage

Simply add an annotation to your services, for example:

---
apiVersion: v1
kind: Service
metadata:
  name: my-app
  labels:
    app: my-app
  annotations:
    acme/certificate: www.yourdomain.com
spec:
  type: LoadBalancer
[...]

The controller will notice this and, assuming you have a matching hosted zone, create a certificate and store it as a secret named www-yourdomain-com-tls.

You can override the name of the secret by specifying an annotation called acme/secretName.

You may specify multiple domains to include in a certificate as a JSON array. This requires setting the acme/secretName annotation. For example:

[...]
metadata:
  annotations:
    acme/certificate: '["yourdomain.com", "www.yourdomain.com"]'
    acme/secretName: mydomain-certificate
[...]

The certificate secret will contain four files named certificate.pem, chain.pem, key.pem and fullchain.pem. You can mount these into whatever application you use to terminate TLS.

If required, you can configure these file names via the environment variables, CERTIFICATE_FILENAME, CHAIN_FILENAME, KEY_FILENAME, FULLCHAIN_FILENAME.

The secret will always be created in the same namespace as your service. Removing the annotation will never remove a secret.

Certificate renewals

Every secret will be annotated with the certificate expiry date. The controller will refresh the certificate and update the secret once the expiry date is close.

Currently this update happens within 1-2 days of expiry. The reason for the short time-interval is that Letsencrypt has a long-term desire to reduce the certificate lifespans so I am trying to be future-proof here.

Overview

The controller first attempts to find a secret in the Kubernetes kube-system namespace with the name letsencrypt-keypair. This secret is expected to contain the key pair used for authentication with the Letsencrypt service.

If no such key pair is found the controller will create one and store it as a secret.

On startup the controller will check all existing services for an annotation

Building

All build lifecycle steps are handled in Gradle. After determining your desired image name, you can build a new image with:

# Run test suite
./gradlew test

# Create local Docker image
./gradlew dockerBuildImage

This will build an image locally with the tag tazjin/letsencrypt-controller:${VERSION}, where ${VERSION} is the one specified in build.gradle.kts.

Contributing

Feel free to contribute pull requests, file bugs and open issues with feature suggestions!

Please follow the code of conduct.

More Repositories

1

nixery

Container registry which transparently builds images using the Nix package manager. Canonical repository is https://cs.tvl.fyi/depot/-/tree/tools/nixery
Go
1,784
star
2

nix-1p

A (more or less) one page introduction to Nix, the language.
Nix
895
star
3

kontemplate

Extremely simple Kubernetes resource templates | Source has moved to https://git.tazj.in/tree/ops/kontemplate
212
star
4

nixos-config

NixOS configuration for my machines. This repository is deprecated, config now lives at https://cs.tvl.fyi/depot/-/tree/users/tazjin/nixos
Nix
50
star
5

clojure-basics

A collection of interesting things for people who want to start learning Clojure.
45
star
6

yants

Yet Another Nix Type System | Source has moved to https://git.tazj.in/tree/nix/yants
36
star
7

democrify

A Mac application for democratic handling of music at parties, using libspotify.
Haskell
23
star
8

terraform-provider-keycloak

A Terraform provider to configure a Keycloak IDP
Go
20
star
9

alcoholic_jwt

Rust library for validation of RS256 JWTs. Source has moved to https://git.tazj.in/tree/net/alcoholic_jwt
Rust
18
star
10

converse

A simple forum software
Rust
16
star
11

elm-yesod

elm-yesod contains the Language.Elm.Yesod module for embedding Elm code in Yesod applications.
Haskell
15
star
12

watchblob

Connect to 2-factor WatchGuard VPNs on Linux with OpenVPN
Go
14
star
13

puppet-masterless

A simple skeleton/template for a masterless Puppet setup using systemd.
Puppet
13
star
14

depot

Personal monorepo, now at https://git.tazj.in
11
star
15

yubikey-fde

Full disk encryption with Yubikeys
Rust
11
star
16

coreos-ansible

An example CoreOS cluster deployment through Ansible
9
star
17

varnish-elb-systemd

Point Varnish dynamically at an AWS ELB, using bash and systemd
Shell
8
star
18

emacs.d

You are looking for https://cs.tvl.fyi/depot/-/tree/users/tazjin/emacs
Emacs Lisp
8
star
19

nixfd

`nix-env -qaP` getting on your nerves?
Rust
8
star
20

nixini

(WIP) NixOS + ChromeOS = πŸ’–
Nix
7
star
21

carnix

See nix-community/carnix instead!
6
star
22

buildGo.nix

Nix builder for Go software. Source has moved to https://git.tazj.in/tree/nix/buildGo
6
star
23

k8s-elk-demo

A simple demonstration of the ELK stack on a Kubernetes cluster
Nginx
5
star
24

journaldriver

journald -> Stackdriver Logging | Repository has moved to https://git.tazj.in/tree/ops/journaldriver
4
star
25

defer.rs

Go's defer keyword, in Rust.
3
star
26

quinistry

A Docker Registry Quine
Go
3
star
27

hs-pkpass

A Haskell library for creating and signing Passbook passes.
Haskell
3
star
28

crimp

Higher-level Rust API for cURL bindings. Source has moved to https://git.tazj.in/tree/net/crimp
Rust
2
star
29

pacman-osx

Pacman package manager on OS X
Shell
2
star
30

recovery

Instructions for myself for recovering my online identities
1
star
31

gemma

Simple tracking of recurring tasks
Common Lisp
1
star
32

pubkartet

A little service for pubs in Oslo
Haskell
1
star
33

tazjin

1
star
34

drifter-info

1
star
35

stomp.erl

An Erlang client for the STOMP protocol
Erlang
1
star
36

erlang-presentation

Erlang presentation at javaBin Oslo, 2016-09-22
Erlang
1
star
37

etcd-announcer

Tiny scratch-based Docker image for etcd service announcement
Go
1
star
38

herbert

A key signing server for cloud environments (pre-alpha)
Haskell
1
star