README
¶
ACK service controller for AWS Certificate Manager
This repository contains source code for the AWS Controllers for Kubernetes (ACK) service controller for ACM.
Please log issues and feedback on the main AWS Controllers for Kubernetes Github project.
Getting Started
Installation Instructions
Learn more about installing ACK service controller for AWS Certificate Manager.
Pricing
The ACK service controller for AWS Certificate Manager is free of charge. If you issue an exportable public certificate with AWS Certificate Manager, there is a charge at certificate issuance and again when the certificate renews. Learn more about AWS Certificate Manager Pricing.
Kubernetes Secrets
The ACK service controller for AWS Certificate Manager uses Kubernetes TLS Secrets to store the certificate chain and decrypted private key of the exported ACM certificate. Users are expected to create Secrets before creating Certificate resources. As these resources are created, the Secrets' tls.crt will be injected with the base64-encoded certificate and tls.key will be injected with the base64-encoded private key associated with the certificate. Users are responsible for deleting Secrets.
In addition, after a certificate is successfully renewed by ACM, the ACK service controller for AWS Certificate Manager will automatically export the renewed certificate again so that the Kubernetes TLS Secret exportTo contains the certificate data and private key data of the renewed certificate.
Export Certificate
To export an ACM certificate to a Kubernetes TLS Secret, users must specify the namespace and the name of the Secret using the exportTo field of the Certificate resource, as shown below.
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: exported-cert-secret
namespace: demo-app
data:
tls.crt: ""
tls.key: ""
---
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
name: exportable-public-cert
namespace: demo-app
spec:
domainName: my.domain.com
options:
certificateTransparencyLoggingPreference: ENABLED
exportTo:
namespace: demo-app
name: exported-cert-secret
key: tls.crt
...
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: exported-cert-secret
namespace: demo-app-2
data:
tls.crt: ""
tls.key: ""
---
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
name: exportable-private-cert
namespace: demo-app-2
spec:
domainName: my.domain.com
certificateAuthorityARN: arn:aws:acm-pca:{$REGION}:{$AWS_ACCOUNT}:certificate-authority/12345678-1234-1234-1234-123456789012
keyAlgorithm: EC_secp384r1
exportTo:
namespace: demo-app-2
name: exported-cert-secret
key: tls.crt
If you are issuing a privately trusted certificate, please also consider using this cert-manager plugin: https://github.com/cert-manager/aws-privateca-issuer/.
Contributing
We welcome community contributions and pull requests.
See our contribution guide for more information on how to report issues, set up a development environment, and submit code.
We adhere to the Amazon Open Source Code of Conduct.
You can also learn more about our Governance structure.
License
This project is licensed under the Apache-2.0 License.
Directories
¶
| Path | Synopsis |
|---|---|
|
apis
|
|
|
v1alpha1
+k8s:deepcopy-gen=package Package v1alpha1 is the v1alpha1 version of the acm.services.k8s.aws API.
|
+k8s:deepcopy-gen=package Package v1alpha1 is the v1alpha1 version of the acm.services.k8s.aws API. |
|
cmd
|
|
|
controller
command
|
|
|
pkg
|
|