Skip to content

Automatically sync Certificates from Kubernetes to AWS Certificate Manager

License

Notifications You must be signed in to change notification settings

mstiri/kube-cert-acm

Repository files navigation

Kube Cert ACM

Automatically synchronize cert-manager generated Certificates to AWS Certificate Manager from your Kubernetes cluster.

How does it work

kube-cert-acm is a chart that creates a Deployment in your Kubernetes cluster.

It reads its configuration from a config file that is mounted from a ConfigMap. The ConfigMap lists the certificates to be imported from the cluster to ACM.

It gets these Certificates on a regular basis, and if different from the ones on ACM, updates them on AWS. The check interval is configured on the Helm chart.

These certificates are supposed to be generated by cert-manager and are defined in a Certificate CRD.

This chart has been tested on an EKS cluster for the following Kubernetes versions:

  • Kubernetes 1.21 ✅
  • Kubernetes 1.22 ✅
  • Kubernetes 1.23 ✅
  • Kubernetes 1.24 ✅
  • Kubernetes 1.25 ✅

It has also been tested with certificates generated with the following versions of cert-manager charts:

  • cert-manager 1.9.1 ✅
  • cert-manager 1.9.2 ✅
  • cert-manager 1.10.0 ✅
  • cert-manager 1.11.0 ✅

It has been tested for Let's Encrypt certificates generated using cert-manager.

Installation

kube-cert-acm can be installed using the official helm chart:

Add the Helm repository:

helm repo add kube-cert-acm https://mstiri.github.io/kube-cert-acm
helm install kube-cert-acm kube-cert-acm/kube-cert-acm --set aws.region="<AWS_REGION>" \
	--set serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn="arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
	-f values.yaml

The values will contain for example the list of certificates to by imported to ACM. Details on the next section

Configuration

Certificates Configuration

The pod takes its configuration from a ConfigMap that is supposed to list all the certificates to be watched and synced. The ConfigMap is provided to the chart via the key certificatesConfig

The list of Certificates to be synchronized is provided via a config file to the Chart.

Example:

certificatesConfig:
  certificates_config.yaml: |
    - cert: podinfo.dev.softcloudhq.io
      namespace: test
      domain_name: "podinfo.dev.softcloudhq.io"
    - cert: podinfo.demo.softcloudhq.io
      namespace: demo
      domain_name: "podinfo.demo.softcloudhq.io"

Other configurations

The check interval is configured via the key checkIntervalSeconds :

checkIntervalSeconds: "30"

RBAC Configuration

The helm chart configures a Cluster Role for kube-cert-acm in order to be able to read Certificates and Secrets from different namespaces in the cluster.

The rule to get Certificates:

- apiGroups: ["cert-manager.io"]
  resources: ["certificates"]
  verbs: ["get"]

A rule to get the Secret containing the actual certificate and private key:

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

IAM Role Configuration

kube-cert-acm needs to access AWS ACM to import Certificates. It is recommended to use a dedicated IAM role specifically for this task that only allows the required actions.

kube-cert-acm requires the following actions to synchronise certificates to ACM. The following policy is to be attached to the kube-cert-acm IAM role:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": "acm:ListCertificates",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": [
                "acm:UpdateCertificateOptions",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:GetCertificate",
                "acm:ExportCertificate",
                "acm:DescribeCertificate",
                "acm:AddTagsToCertificate"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

The Helm chart suppose IRSA is used and expects the Service Account to be annotated with the required IAM role. More details on IRSA on the official documentation.

For an example of a configured IAM role for kube-cert-acm using Terraform refer to: mstiri/github/eks-cluster/platform/kube-cert-acm.tf

Roadmap

  • Do not rely only on Certificates generated by cert-manager. Support importing certificates from Kubernetes Secrets generally
  • Provide more flexible configuration to import certificates to different AWS regions
  • Support configuration through annotations on Kubernetes Secrets, without needing a ConfigMap

Contribution

This project has been built to fit a specific need: import a list of certificates from Kubernetes to ACM. A lot of work is still to be done to make it fit other use cases.

Contributions are highly appreciated.

To contribute:

  • Fork the project
  • Create a branch
  • Make your contribution
  • Open a Pull Request