Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kelseyhightower/certificate-init-container

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
https://github.com/kelseyhightower/certificate-init-container

Last synced: 2 months ago
JSON representation

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.

Host: GitHub
URL: https://github.com/kelseyhightower/certificate-init-container
Owner: kelseyhightower
License: apache-2.0
Created: 2017-04-06T04:10:10.000Z (almost 8 years ago)
Default Branch: master
Last Pushed: 2020-02-17T15:23:33.000Z (almost 5 years ago)
Last Synced: 2024-08-02T01:26:17.737Z (6 months ago)
Language: Go
Size: 7.7 MB
Stars: 146
Watchers: 10
Forks: 52
Open Issues: 11
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-repositories - kelseyhightower/certificate-init-container - Bootstrap TLS certificates for Pods using the Kubernetes certificates API. (Go)

README

        # Certificate Init Container

The `certificate-init-container` generates TLS certificates for pods using the [Kubernetes certificate API](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster).

See the [current release](#current-release) for usage details.

## Prerequisites

* Kubernetes 1.6.0+

## Usage

Create a deployment that uses the `certificate-init-container`:

```

kubectl create -f deployments/tls-app.yaml

```

The `certificate-init-container` will generate a private key, certificate signing request (csr), and submit a certificate signing request to the Kubernetes certificate API, then wait for the [certificate to be approved](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#approving-certificate-signing-requests).

```

kubectl get pods

```

```

NAME                       READY     STATUS     RESTARTS   AGE

tls-app-2342064067-c9xwf   0/1       Init:0/1   0          5s

```

View the `certificate-init-container` logs for more details:

```

kubectl logs tls-app-2342064067-c9xwf -c certificate-init-container

```

```

2017/04/06 06:58:02 wrote /etc/tls/tls.key

2017/04/06 06:58:02 wrote /etc/tls/tls.csr

2017/04/06 06:58:02 waiting for certificate...

2017/04/06 06:58:02 certificate signing request (tls-app-2342064067-c9xwf-default) not approved; trying again in 5 seconds

2017/04/06 06:58:27 certificate signing request (tls-app-2342064067-c9xwf-default) not approved; trying again in 5 seconds

```

List the certificate signing requests and locate the csr pending for the `tls-app` pod:

```

kubectl get csr

```

```

NAME                               AGE       REQUESTOR                               CONDITION

tls-app-2342064067-c9xwf-default   1m        system:serviceaccount:default:default   Pending

```

Review the csr details:

```

kubectl describe csr tls-app-2342064067-c9xwf-default

```

```

Name:                   tls-app-2342064067-c9xwf-default

Labels:                 

Annotations:            

CreationTimestamp:      Thu, 06 Apr 2017 06:17:16 -0700

Requesting User:        system:serviceaccount:default:default

Status:                 Pending

Subject:

        Common Name:    10-228-0-10.default.pod.cluster.local

        Serial Number:

Subject Alternative Names:

        DNS Names:      10-228-0-10.default.pod.cluster.local

                        example.com

                        tls-app.default.svc.cluster.local

        IP Addresses:   10.228.0.10

                        127.0.0.1

Events:	

```

Approve the pending certificate signing request:

```

kubectl certificate approve tls-app-2342064067-c9xwf-default

```

```

certificatesigningrequest "tls-app-2342064067-c9xwf-default" approved

```

Once the certificate signing request has been approved the `certificate-init-container` will fetch the signed certificate and write it to a shared filesystem.

```

kubectl logs tls-app-2342064067-c9xwf -c certificate-init-container

```

```

2017/04/06 06:58:02 wrote /etc/tls/tls.key

2017/04/06 06:58:02 wrote /etc/tls/tls.csr

2017/04/06 06:58:02 waiting for certificate...

2017/04/06 06:58:02 certificate signing request (tls-app-2342064067-c9xwf-default) not approved; trying again in 5 seconds

2017/04/06 06:58:27 certificate signing request (tls-app-2342064067-c9xwf-default) not approved; trying again in 5 seconds

...

2017/04/06 07:00:28 wrote /etc/tls/tls.crt

```

Next the `certificate-init-container` will exit and the pod will start the remaining containers which will have access to the certificate and private key.

```

kubectl get pods

```

```

NAME                       READY     STATUS    RESTARTS   AGE

tls-app-2342064067-c9xwf   1/1       Running   0          2m

```

Create a service for the `tls-app` deployment to view the certificate details.

```

kubectl expose deployment tls-app --type=LoadBalancer

```

## Current Release

Container Image:

```

gcr.io/hightowerlabs/certificate-init-container:0.0.1

```

See the [example deployment](deployments/tls-app.yaml) for more details.

Usage:

```

certificate-init-container -h

```

```

Usage of certificate-init-container:

  -additional-dnsnames string

    	additional dns names; comma separated

  -cert-dir string

    	The directory where the TLS certs should be written (default "/etc/tls")

  -cluster-domain string

    	Kubernetes cluster domain (default "cluster.local")

  -hostname string

    	hostname as defined by pod.spec.hostname

  -namespace string

    	namespace as defined by pod.metadata.namespace (default "default")

  -pod-ip string

    	IP address as defined by pod.status.podIP

  -pod-name string

    	name as defined by pod.metadata.name

  -service-ips string

    	service IP addresses that resolve to this Pod; comma separated

  -service-names string

    	service names that resolve to this Pod; comma separated

  -subdomain string

    	subdomain as defined by pod.spec.subdomain

```