Skip to content

ACME Controller for OpenShift and Kubernetes Cluster. (Supports e.g. Let's Encrypt)

License

Notifications You must be signed in to change notification settings

albundy83/openshift-acme

 
 

Repository files navigation

Notice

This repo is a fork of https://github.com/tnozicka/openshift-acme which has been archived by his author.

I have updated some part of the original code but just to be able to update go and modules versions.

Updated images are available here :

You can use them or better build them, it's very easy:

docker build -f images/openshift-acme-controller/Dockerfile .
docker build -f images/openshift-acme-exposer/Dockerfile .

It works on OpenShift 4.10.

Enjoy and improve :-)

Donate

openshift-acme

openshift-acme is ACME Controller for OpenShift and Kubernetes clusters. It will automatically provision certificates using ACME v2 protocol and manage their lifecycle including automatic renewals.

The controller is provider independent but to start with we would recommend you to use Let's Encrypt (https://letsencrypt.org). For more information checkout section Deploy.)

Enabling ACME certificates for your object

Once openshift-acme controller is running on your cluster all you have to do is annotate your Route or other supported object like this:

metadata:
  annotations:
    kubernetes.io/tls-acme: "true"

Deploy

openshift-acme provides multiple options to deploy the controller so you can deploy it even as a regular user in a shared cluster only for specific namespaces you have access to. We intentionally avoid using CRDs which require system:admin privileges.

We have created deployments to get you started in just a few seconds. (But feel free to create one that suits your needs.)

Let's encrypt provides two environments: live and staging. The environment is chosen based on the issuer ConfigMap that is created.

Staging

staging is meant for testing the controller or making sure you can try it out without the fear or exhausting your rate limits and it will provide you with certificates signed by Let's Encrypt staging CA making the certs not trusted!

Live

live will provide you with trusted certificates but has lower rate limits. This is what you want when you're done testing/evaluating the controller

Status

openshift-acme now supports only ACME v2 protocol. For the time of the transition the old images using ACME v1 are kept in docker.io/tnozicka/openshift-acme:v0.8.0. There is no plan to support the old version and while you can still use it until the endpoints are turned off, we advise you to try the new version of the controller and migrate.

Supported objects

Routes (OpenShift)

OpenShift Routes are fully supported.

If you annotate your Route with "acme.openshift.io/secret-name": "<secret_name>", the controller will synchronize the Route certificates into a Secret so you can use SSL in the passthrough mode and mount the secret into pods.

Roadmap

  • Advanced rate limiting (there is now support for basic rate limits)
  • Ingress (and Kubernetes) support
  • DNS validation support
  • CertificateRequests objects (when not using http-01 validation you don't need a Route)
  • Operator managing the deployment and upgrades

Mailing list

https://groups.google.com/d/forum/openshift-acme

About

ACME Controller for OpenShift and Kubernetes Cluster. (Supports e.g. Let's Encrypt)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 95.7%
  • Shell 2.3%
  • Makefile 1.4%
  • Dockerfile 0.6%