https://github.com/andrewstuart/kube-gen-certs

Generate kubernetes ingress TLS certificates automatically via Vault
https://github.com/andrewstuart/kube-gen-certs

automated certificate ingress kubernetes self-signed tls vault

Last synced: 6 months ago
JSON representation

Generate kubernetes ingress TLS certificates automatically via Vault

• Host: GitHub
• URL: https://github.com/andrewstuart/kube-gen-certs
• Owner: andrewstuart
• License: mit
• Created: 2016-07-02T23:49:42.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2018-03-28T05:21:44.000Z (over 7 years ago)
• Last Synced: 2025-03-24T16:46:18.929Z (7 months ago)
• Topics: automated, certificate, ingress, kubernetes, self-signed, tls, vault
• Language: Go
• Homepage:
• Size: 23.8 MB
• Stars: 11
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# kube-gen-certs

## Generate kubernetes certificates automatically for your ingresses using Vault's PKI functionality

To have kube-gen-certs create your certificates automatically, either use the

`-forcetls` option, or annotate your ingresses with `kubernetes.io/tls-vault: "true"`.

`kube-gen-certs` will automatically add any tls certificates it does not find,

and will update certificates as they are about to expire.

### Cluster deployment

```bash

# Optional (hosted on docker hub)

$ make push REG="http://docker.astuart.co:5000" # e.g.

# Edit the dep.yml and/or copy to your personal manifest repo (you have one, right?)

# If you'd like to use configmaps and secrets for the configuration (as dep.yml does by default), then create them as follows, or from manifests wherever you store your config (again, a git repo, right??)

$ kubectl create secret generic vault-creds --from-literal=vault-token=${YOUR_VAULT_TOKEN}

$ kubectl create configmap vault --from-literal=addr=${YOUR_VAULT_ENDPOINT}

# Uncomment ROOT_CA environment var if vault uses a non-publicly-trusted CA for

# its own operation (probably, since that's the point)

$ kubectl create secret generic ca --from-file=ca.crt=${PATH_TO_YOUR_CA_CERT}

$ kubectl apply -f dep.yml

```

Usage of ./kube-gen-certs:

  -alsologtostderr

    	log to standard error as well as files

  -forcetls

    	force all ingresses to use TLS if certs can be obtained

  -incluster

    	the client is running inside a kuberenetes cluster

  -log_backtrace_at value

    	when logging hits line file:N, emit a stack trace

  -log_dir string

    	If non-empty, write log files in this directory

  -logtostderr

    	log to standard error instead of files

  -self-signed

    	self-sign all certificates

  -stderrthreshold value

    	logs at or above this threshold go to stderr

  -ttl string

    	the time to live for certificates (default "240h")

  -v value

    	log level for V logs

  -vault-role string

    	the vault role to use when obtaining certs (default "vault")

  -vmodule value

    	comma-separated list of pattern=N settings for file-filtered logging