Skip to content

mstiri/kube-cert-acm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

.github/workflows

.github/workflows

 
 

charts/kube-cert-acm

charts/kube-cert-acm

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

helpers.py

helpers.py

 
 

logger.py

logger.py

 
 

main.py

main.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Kube Cert ACM

Automatically synchronize cert-manager generated Certificates to AWS Certificate Manager from your Kubernetes cluster.

How does it work

kube-cert-acm is a chart that creates a Deployment in your Kubernetes cluster.

It reads its configuration from a config file that is mounted from a ConfigMap. The ConfigMap lists the certificates to be imported from the cluster to ACM.

It gets these Certificates on a regular basis, and if different from the ones on ACM, updates them on AWS. The check interval is configured on the Helm chart.

These certificates are supposed to be generated by cert-manager and are defined in a Certificate CRD.

This chart has been tested on an EKS cluster for the following Kubernetes versions:

  • Kubernetes 1.21 ✅
  • Kubernetes 1.22 ✅
  • Kubernetes 1.23 ✅
  • Kubernetes 1.24 ✅
  • Kubernetes 1.25 ✅

It has also been tested with certificates generated with the following versions of cert-manager charts:

  • cert-manager 1.9.1 ✅
  • cert-manager 1.9.2 ✅
  • cert-manager 1.10.0 ✅
  • cert-manager 1.11.0 ✅

It has been tested for Let's Encrypt certificates generated using cert-manager.

Installation

kube-cert-acm can be installed using the official helm chart:

Add the Helm repository:

helm repo add kube-cert-acm https://mstiri.github.io/kube-cert-acm
helm install kube-cert-acm kube-cert-acm/kube-cert-acm --set aws.region="<AWS_REGION>" \
	--set serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn="arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
	-f values.yaml

The values will contain for example the list of certificates to by imported to ACM. Details on the next section

Configuration

Certificates Configuration

The pod takes its configuration from a ConfigMap that is supposed to list all the certificates to be watched and synced. The ConfigMap is provided to the chart via the key certificatesConfig

The list of Certificates to be synchronized is provided via a config file to the Chart.

Example:

certificatesConfig:
  certificates_config.yaml: |
    - cert: podinfo.dev.softcloudhq.io
      namespace: test
      domain_name: "podinfo.dev.softcloudhq.io"
    - cert: podinfo.demo.softcloudhq.io
      namespace: demo
      domain_name: "podinfo.demo.softcloudhq.io"

Other configurations

The check interval is configured via the key checkIntervalSeconds :

checkIntervalSeconds: "30"

RBAC Configuration

The helm chart configures a Cluster Role for kube-cert-acm in order to be able to read Certificates and Secrets from different namespaces in the cluster.

The rule to get Certificates:

- apiGroups: ["cert-manager.io"]
  resources: ["certificates"]
  verbs: ["get"]

A rule to get the Secret containing the actual certificate and private key:

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

IAM Role Configuration

kube-cert-acm needs to access AWS ACM to import Certificates. It is recommended to use a dedicated IAM role specifically for this task that only allows the required actions.

kube-cert-acm requires the following actions to synchronise certificates to ACM. The following policy is to be attached to the kube-cert-acm IAM role:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": "acm:ListCertificates",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": [
                "acm:UpdateCertificateOptions",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:GetCertificate",
                "acm:ExportCertificate",
                "acm:DescribeCertificate",
                "acm:AddTagsToCertificate"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

The Helm chart suppose IRSA is used and expects the Service Account to be annotated with the required IAM role. More details on IRSA on the official documentation.

For an example of a configured IAM role for kube-cert-acm using Terraform refer to: mstiri/github/eks-cluster/platform/kube-cert-acm.tf

Roadmap

  • Do not rely only on Certificates generated by cert-manager. Support importing certificates from Kubernetes Secrets generally
  • Provide more flexible configuration to import certificates to different AWS regions
  • Support configuration through annotations on Kubernetes Secrets, without needing a ConfigMap

Contribution

This project has been built to fit a specific need: import a list of certificates from Kubernetes to ACM. A lot of work is still to be done to make it fit other use cases.

Contributions are highly appreciated.

To contribute:

  • Fork the project
  • Create a branch
  • Make your contribution
  • Open a Pull Request

About

Automatically sync Certificates from Kubernetes to AWS Certificate Manager

Topics

letsencrypt tls kubernetes aws security certificates cert-manager aws-certificate-manager

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 5

Release v0.0.3 of kube-cert-acm Latest
Mar 6, 2023
+ 4 releases

Packages

No packages published

Languages