Simple daemon to fetch and refresh Let's Encrypt certs stored in k8s secrets
Originally written by Omeryl. Thanks!
Build the container:
$ docker build -t certdaemon .
Or take your chances with gliderlabs/certdaemon.
Create a config secret as defined below on Kubernetes. Then deploy using
something like run/manifest.yaml.
Environment variables:
NAMESPACE- k8s namespace to use. default isdefaultCONFIG_SECRET- k8s secret with config (see below). default isletsencryptINTERVAL- interval for checking if certs need updating. ex: "30m". default is1hPROVIDER- lego provider to use for dns challenge. default isroute53ACME_ENDPOINT- URL for ACME API. default is live (https://acme-v01...)! set to staging endpoint for testing (https://acme-staging.api.letsencrypt.org/directory).
Other environment variables will need to be provided based on your provider.
For example, route53 will need:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
The secret defined by CONFIG_SECRET should have a key called config.yaml
that looks like this:
account:
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
email: [email protected]
certificates:
- domains: ['mcidentify.com', 'www.mcidentify.com', 'yay.mcidentify.com']
secret: main-tls
- domains: ['sandbox.mcidentify.com']
secret: sandbox-tls
The field account represents a Let's Encrypt account that will be created if
it doesn't exist. It's simplest to just create a new private key for a new account.