Automatically synchronize cert-manager generated Certificates to AWS Certificate Manager from your Kubernetes cluster.
kube-cert-acm is a chart that creates a Deployment in your Kubernetes cluster.
It reads its configuration from a config file that is mounted from a ConfigMap. The ConfigMap lists the certificates to be imported from the cluster to ACM.
It gets these Certificates on a regular basis, and if different from the ones on ACM, updates them on AWS. The check interval is configured on the Helm chart.
These certificates are supposed to be generated by cert-manager and are defined in a Certificate CRD.
This chart has been tested on an EKS cluster for the following Kubernetes versions:
- Kubernetes 1.21 ✅
- Kubernetes 1.22 ✅
- Kubernetes 1.23 ✅
- Kubernetes 1.24 ✅
- Kubernetes 1.25 ✅
It has also been tested with certificates generated with the following versions of cert-manager charts:
- cert-manager 1.9.1 ✅
- cert-manager 1.9.2 ✅
- cert-manager 1.10.0 ✅
- cert-manager 1.11.0 ✅
It has been tested for Let's Encrypt certificates generated using cert-manager.
kube-cert-acm can be installed using the official helm chart:
Add the Helm repository:
helm repo add kube-cert-acm https://mstiri.github.io/kube-cert-acm
helm install kube-cert-acm kube-cert-acm/kube-cert-acm --set aws.region="<AWS_REGION>" \
--set serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn="arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
-f values.yaml
The values will contain for example the list of certificates to by imported to ACM. Details on the next section
The pod takes its configuration from a ConfigMap that is supposed to list all the certificates to be watched and synced. The ConfigMap is provided to the chart via the key certificatesConfig
The list of Certificates to be synchronized is provided via a config file to the Chart.
Example:
certificatesConfig:
certificates_config.yaml: |
- cert: podinfo.dev.softcloudhq.io
namespace: test
domain_name: "podinfo.dev.softcloudhq.io"
- cert: podinfo.demo.softcloudhq.io
namespace: demo
domain_name: "podinfo.demo.softcloudhq.io"
The check interval is configured via the key checkIntervalSeconds
:
checkIntervalSeconds: "30"
The helm chart configures a Cluster Role for kube-cert-acm in order to be able to read Certificates and Secrets from different namespaces in the cluster.
The rule to get Certificates:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get"]
A rule to get the Secret containing the actual certificate and private key:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
kube-cert-acm needs to access AWS ACM to import Certificates. It is recommended to use a dedicated IAM role specifically for this task that only allows the required actions.
kube-cert-acm requires the following actions to synchronise certificates to ACM. The following policy is to be attached to the kube-cert-acm IAM role:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": "acm:ListCertificates",
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"acm:UpdateCertificateOptions",
"acm:ListTagsForCertificate",
"acm:ImportCertificate",
"acm:GetCertificate",
"acm:ExportCertificate",
"acm:DescribeCertificate",
"acm:AddTagsToCertificate"
],
"Effect": "Allow",
"Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
The Helm chart suppose IRSA is used and expects the Service Account to be annotated with the required IAM role. More details on IRSA on the official documentation.
For an example of a configured IAM role for kube-cert-acm using Terraform refer to: mstiri/github/eks-cluster/platform/kube-cert-acm.tf
- Do not rely only on Certificates generated by cert-manager. Support importing certificates from Kubernetes Secrets generally
- Provide more flexible configuration to import certificates to different AWS regions
- Support configuration through annotations on Kubernetes Secrets, without needing a ConfigMap
This project has been built to fit a specific need: import a list of certificates from Kubernetes to ACM. A lot of work is still to be done to make it fit other use cases.
Contributions are highly appreciated.
To contribute:
- Fork the project
- Create a branch
- Make your contribution
- Open a Pull Request