k53cerbot is specifically targeted at AWS EKS users who want to issue SSL certificates based on Kubernetes Ingress declarations and are unable to use cert-manager which is incompatibility with AWS Fargate.
k53certbot is intended to run as a deployment
inside the kube-system
namespace of your Kubernetes cluster
The latest image is hosted on quay.io or you can build yourself:
make image
After building, push the image somewhere you can access it from your EKS cluster, eg ECR or an Artifactory instance you control.
- Create a IAM policy based on the example
- This grants access to all Route53 resources, you may want to add restrictions
- Create a Kubernetes service account mapping the IAM policy to a service
account in the Kubernetes cluster
- The example deployment expects service name
certbot-service
- The example deployment expects service name
- Configure a public hosted zone for the zone you wish to issue certificates in
External DNS manages the DNS record for the ingress - follow the instructions https://github.com/kubernetes-sigs/external-dns/ to setup external-dns
AWS Load Balancer Controller exposes the services running behind Ambassador - follow the instructions https://aws.amazon.com/about-aws/whats-new/2020/10/introducing-aws-load-balancer-controller/ to setup the load balancer controller
- Kubernetes requires an Ingress Controller implementation to make your ingress definitions do anything. We suggest Ambassador
- Create an opaque kubernetes secret containing the zerossl API key
- The example scripts expect:
- secret name:
zerossl
- data field:
zerossl_api_key
- secret name:
Deploy the container image you built to the cluster:
- Adjust the example to suit your environment:
<REPLACE_WITH_YOUR_IMAGE>
<REPLACE_WITH_YOUR_EMAIL>
- remove
--provider zerossl
if using Letsencrypt
kubectl apply -y /path/to/edited/example/k53certbot.kubectl.yaml
- Inspect the deployment once its running:
kubectl -n kube-system get pod
kubectl -n kube-system get deployment ID_OF_DEPLOYMENT
kubectl -n kube-system logs ID_OF_POD
- ...etc
Once setup is complete, TLS certificates are provisioned by deploying a suitable ingress, see example and adjust as needed, then deploy with:
kubectl deploy -f /path/to/edited/example/ingress.kubectl.yaml
If you've done everything right, the site will start working with TLS in a few minutes time, otherwise look at the pod logs for the container running k53certbot to start working out what is going on.
Tip
There are a lot of moving parts needed before k53certbot can work - if you manage it all in one go you deserve a medal!
For the rest of us - break your cluster deployment into steps:
- AWS Load Balancer + ambassador - can you see a service?
- External-DNS - can you access your deployment over plain
http
with the right hostname? - With all this working, your ready to try adding TLS with k53certbot
- Watch Kubernetes for ingress deployments
- For every change:
- Get the FQDN the ingress
- run
certbot
to register or de-register the FQDN - certbot has built in support for Route 53 via python packagecertbot-dns-route53
certbot
manages files under/etc/letsencrypt
and will write the TLS secrets there once they have been provisioned.- Create a kubernetes secret including the contents of the appropriate
files under
/etc/letsencrypt
:- Secrets will be named:
tls-<FQDN WITH PERIODS CONVERTED TO HYPHENS>
eg: the secret forexample.yourdomain.com
would betls-example-yourdomain-com
- periods are replaced with hyphens as they cause problems in Ambassador - Any existing secret with the same name will be replaced
- Secrets will be named:
- Experimental - does the bare minimum needed to issue an initial certificate
- ZeroSSL support by adapting certbot-zerossl
- Letsencrypt support
- DNS-01 challenge support
- AWS Fargate EKS compatible
- AWS service access via
iamserviceaccount
- no need (and not supported) to embed AWS access keys in secrets, etc.
- Certificate renewal (workaround: restart script)
- Testing, bulletproofing, etc.
Use live code in docker container
rm /usr/local/lib/python3.8/site-packages/k53certbot/ -rf
ln -s /mnt/k53certbot /usr/local/lib/python3.8/site-packages/k53certbot -s