https://github.com/sapcc/git-cert-shim

Automatic management of certificates not related to Kubernetes resources via a github repository.
https://github.com/sapcc/git-cert-shim

cert-manager certificate kubernetes tls

Last synced: 14 days ago
JSON representation

Automatic management of certificates not related to Kubernetes resources via a github repository.

• Host: GitHub
• URL: https://github.com/sapcc/git-cert-shim
• Owner: sapcc
• License: apache-2.0
• Created: 2020-09-22T09:47:48.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2025-04-12T16:59:01.000Z (15 days ago)
• Last Synced: 2025-04-12T17:44:10.907Z (15 days ago)
• Topics: cert-manager, certificate, kubernetes, tls
• Language: Go
• Homepage:
• Size: 255 KB
• Stars: 2
• Watchers: 50
• Forks: 0
• Open Issues: 11
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# git-cert-shim

The git-cert-shim extends the [cert-manager](https://github.com/jetstack/cert-manager) and enables 

automating management of certificates configured via a Github repository.

The controller watches the configured Github repository for files containing certificate configurations and

manages [cert-manager resources](https://cert-manager.io/docs/usage/certificate) in the current Kubernetes cluster.  

Once the certificate was issued or renewed, it is kept in sync with the github repository.

## Usage & Configuration

Mandatory configuration:

```

// The file containing the certificate configuration. (default "git-cert-shim.yaml")

--config-file-name

// The remote URL of the github repository.

--git-remote-url

// The group of the issuer used to sign certificate requests.

--default-issuer-group string

// The kind of the issuer used to sign certificate requests.

--default-issuer-kind string

// The name of the issuer used to sign certificate requests.

--default-issuer-name string

// Trigger renewal of the certificate if they would expire in less than the configured duration. 

// *Warning*: Only allows min, hour.  (default 720h0m0s)

--renew-certificates-before duration

```

And choose one authentication method:

```

// Github API token. Alternatively, provide via environment variable GIT_API_TOKEN.

--git-api-token

// Github SSH private key filename. Alternatively, provide via environment variable GIT_SSH_PRIVKEY_FILE.

--git-ssh-privkey-file

```

A `git-cert-shim.yaml` might look as follows

```

certificates:

  - cn: some.thing.tld

  - cn: foo.bar.tld

    sans:

      - baz.bar.tld

```

The resulting files containing the certificate and private key will be named after the certificates common name, e.g. `some-thing-tld.pem`, `some-thing-tld-key.pem` and are stored in the same folder as the configuration.

# Installation

See the provided [kustomize base](config) and provide the required secrets.  

Run `make install` to deploy the git-cert-shim to the current cluster.