Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/puppetlabs/tlser

A tiny utility for ensuring TLS certificates are up-to-date in a Kubernetes namespace
https://github.com/puppetlabs/tlser

golang kubernetes tls

Last synced: about 1 month ago
JSON representation

A tiny utility for ensuring TLS certificates are up-to-date in a Kubernetes namespace

Host: GitHub
URL: https://github.com/puppetlabs/tlser
Owner: puppetlabs
License: apache-2.0
Created: 2020-07-30T23:05:52.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2021-12-16T21:42:14.000Z (almost 3 years ago)
Last Synced: 2024-09-23T05:31:29.024Z (about 2 months ago)
Topics: golang, kubernetes, tls
Language: Go
Homepage: https://hub.docker.com/r/puppet/tlser
Size: 165 KB
Stars: 2
Watchers: 56
Forks: 4
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        # tlser

A tiny utility for ensuring TLS certificates in Kubernetes are up-to-date.

`tlser` can be used standalone to generate certificates from a pregenerated CA (cert/key pair). Just provide `-subject` to get started.

`tlser` is really intended to be used as a small `initContainer` in a Kubernetes cluster that ensures certificates that are used by an application are up-to-date with template input, via [Helm](https://helm.sh) or [KOTS](https://kots.io). It's intended to be much simpler to use than [cert-manager](https://cert-manager.io) while still providing fully usable certificate maintenance.

To use `tlser` in a cluster, include `puppet/tlser:1.3.0` as an `initContainer`, mount a CA cert/key pair as a volume, and specify necessary arguments (`-name` is required) such as

```

tlser -cacert /cert/tls.crt -cakey /cert/tls.key -name app-tls -subject example.com -dns example.com,localhost,app -ip 10.0.0.1 -expire 365 -label app=myapp -label part-of=myapp

```

When run, `tlser` will check whether a secret exists. If it exists, is not expired or about to expire, and its properties already match the parameters, it won't be regenerated. Otherwise it generates a new certificate and updates or creates the appropriate secret.

If run in a Kubernetes pod, `tlser` will use the namespace that pod runs in. Otherwise it will default to `default`. You can override the namespace with `-namespace`.

`tlser` can also be run continuously to monitor a cert and update it when necessary by passing the `-interval` flag, such as `-interval 6h`.