Watch and react to change in Kubernetes TLS Secrets.

Kubernetes has introduced a number of different ways to keep certificates generated, renewed and updated. Tools like cert-manager provide an easy way to issue and renew TLS certificates inside the cluster The only drawback is exactly that last bit: inside the cluster.

While certificates are easily managed inside your Kubernetes cluster, the tools that issue them do not provide a straight forward way to distribute certificates to the outside world. As we enter a new age of cloud computing, we still live in a mixed era where, sometimes, shiny new Kubernetes clusters need to play ball and integrate with older legacy infrastructure.

cert-watch provides a way to distribute certificates provisioned and renewed inside a Kubernetes cluster. While conected to the apiserver, it watches for native changes in Secrets resources (type kubernetes.io/tls). Whenever TLS Secrets change (ie: a cert is renewed) it reacts to perform actions that can distribute them into other environments.

Actions can vary from sending an e-mail with certificates attached, copying them into a remote host via SSH/SCP or running a Kubernetes Job to perform a custom set of operations.

• React with dummy echo
• React sending an e-mail
• React copying files over SCP
• Publish Docker image
• Publish helm chart
• Add more features and fix all the bugs...
• Release a stable 1.0.0

A helm chart is provided for quick installation. To use it, include the helm repository to your local helm installation.

helm repo add cert-watch https://raw.githubusercontent.com/jhmorimoto/cert-watch/main/helm
helm repo up

Install a release with:

helm upgrade --create-namespace --install -n cert-watch cert-watch cert-watch/cert-watch

When a new version is available, the same helm upgrade should bring you up to speed.

helm repo up
helm upgrade --create-namespace --install -n cert-watch cert-watch cert-watch/cert-watch

Be aware there are no stable releases yet. In practice, that means the helm chart is prepared to use the latest Docker image and will promptly pull new versions of this tag on every restart (imagePullPolicy: Always). Not only that, the compiled binary has debugging flags and log levels enabled for active development. This will continue to be the case for mostly 0.x.x releases, until a stable 1.x.x is reached.

The helm chart also manages the CRDs and annotates them with helm.sh/resource-policy: keep. When the release is uninstalled, CRDs are not removed from the cluster. This provides a safe way to uninstall cert-watch without immediately losing all CertWatchers you might already have defined.

To remove them manually, you can list all CRDs created by the installation process and kubectl delete at your convenience.

Example:

$ kubectl get crd | grep certwatch.morimoto.net.br
certwatchers.certwatch.morimoto.net.br   2021-09-29T23:18:22Z

$ kubectl delete crd certwatchers.certwatch.morimoto.net.br

Optionally, if you have the source code for this project, you can run the uninstall target from the Makefile.

make uninstall

For details on how to use cert-watch, check out the User Guide.

If you wish to contribute or would like to run the controller yourself locally, checkout the Development quick start guide.

Powered by kubebuilder 2.3.2.