Kubernetes + Route53 + ACME
Project description
k53certbot
k53cerbot is specifically targeted at AWS EKS users who want to issue SSL certificates based on Kubernetes Ingress declarations and are unable to use cert-manager which is incompatibility with AWS Fargate.
Setup
k53certbot is intented to run as a deployment inside the kube-system
namespace of your Kubernetes cluster
Container image (requires podman - or build manually with Docker)
make image
After building, push the image somewhere you can access it from your EKS cluster, eg ECR or an Artifactory instance you control.
Kubernetes RBAC/IAM
- Create a IAM policy based on the example
- This grants access to all Route53 resources, you may want to add restrictions
- Create a Kubernetes service account mapping the IAM policy to a service
account in the Kubernetes cluster
- The example deployment expects service name
certbot-service
- The example deployment expects service name
Route53
- Configure a public hosted zone for the zone you wish to issue certificates in
External DNS
External DNS manages the DNS record for the ingress - follow the instructions https://github.com/kubernetes-sigs/external-dns/ to setup external-dns
AWS Load Balancer Controller
AWS Load Balancer Controller exposes the services running behind Ambassador - follow the instructions https://aws.amazon.com/about-aws/whats-new/2020/10/introducing-aws-load-balancer-controller/ to setup the load balancer controller
Ingress controller
- Kubernetes requires an Ingress Controller implementation to make your ingress definitions do anything. We suggest Ambassador
ZeroSSL Setup (not required if using Letsencrypt)
- Create an opaque kubernetes secret containing the zerossl API key
- The example scripts expect:
- secret name:
zerossl - data field:
zerossl_api_key
- secret name:
k53certbot deployment
Deploy the container image you built to the cluster:
- Adjust the example to suit your environment:
<REPLACE_WITH_YOUR_IMAGE><REPLACE_WITH_YOUR_EMAIL>- remove
--provider zerosslif using Letsencrypt
kubectl apply -y /path/to/edited/example/k53certbot.kubectl.yaml- Inspect the deployment once its running:
kubectl -n kube-system get podkubectl -n kube-system get deployment ID_OF_DEPLOYMENTkubectl -n kube-system logs ID_OF_POD- ...etc
Provisioning TLS certificates
Once setup is complete, TLS certificates are provisioned by deploying a suitable ingress, see example and adjust as needed, then deploy with:
kubectl deploy -f /path/to/edited/example/ingress.kubectl.yaml
If you've done everything right, the site will start working with TLS in a few minutes time, otherwise look at the pod logs for the container running k53certbot to start working out what is going on.
Tip
There are a lot of moving parts needed before k53certbot can work - if you manage it all in one go you deserve a medal!
For the rest of us - break your cluster deployment into steps:
- AWS Load Balancer + ambassador - can you see a service?
- External-DNS - can you access your deployment over plain
httpwith the right hostname? - With all this working, your ready to try adding TLS with k53certbot
How does k53certbot work?
- Watch Kubernetes for ingress deployments
- For every change:
- Get the FQDN the ingress
- run
certbotto register or de-register the FQDN - certbot has built in support for Route 53 via python packagecertbot-dns-route53 certbotmanages files under/etc/letsencryptand will write the TLS secrets there once they have been provisioned.- Create a kubernetes secret including the contents of the appropriate
files under
/etc/letsencrypt:- Secrets will be named:
tls-<FQDN WITH PERIODS CONVERTED TO HYPHENS>eg: the secret forexample.yourdomain.comwould betls-examlple-yourdomain-com- periods are replaced with hypens as they cause problems in Ambassador - Any existing secret with the same name will be replaced
- Secrets will be named:
Status
- Experimental - does the bare minimum needed to issue an initial certificate
Features
- ZeroSSL support by adapting certbot-zerossl
- Letsencrypt support
- DNS-01 challenge support
- AWS Fargate EKS compatible
- AWS service access via
iamserviceaccount- no need (and not supported) to embed AWS access keys in secrets, etc.
Todo
- Certificate renewal (workaround: restart script)
- Testing, bulletproofing, etc.
Hacking
Use live code in docker container
rm /usr/local/lib/python3.8/site-packages/k53certbot/ -rf
ln -s /mnt/k53certbot /usr/local/lib/python3.8/site-packages/k53certbot -s
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for k53certbot-0.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7c5c711c9335614c15ce805073d7d9d220774a55df4840079ac3ce8265a5d551 |
|
| MD5 | 02aad26bbf9c741468e75bf895dd1cc1 |
|
| BLAKE2b-256 | c7d4432e8c88801360d600ccae2f4a06e794e6aeb05c562d1ebbc001671da5ff |
