├── .gitignore ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── README.md ├── build_push.sh ├── clean.sh ├── fetch_certs.sh ├── hack └── setup-cert-renew.sh ├── k8s ├── dev │ ├── configmaps │ │ └── cert-renew-config.yaml │ ├── deployment │ │ └── create-cert-renew-deployment.yaml.sh │ └── pvc │ │ └── nfs-pvc.yaml ├── prod │ ├── configmaps │ │ └── cert-renew-config.yaml │ ├── deployment │ │ └── create-cert-renew-deployment.yaml.sh │ └── pvc │ │ └── nfs-pvc.yaml └── stage │ ├── configmaps │ └── cert-renew-config.yaml │ ├── deployment │ └── create-cert-renew-deployment.yaml.sh │ └── pvc │ └── nfs-pvc.yaml ├── refresh_ingress.sh ├── repo-envvars.sh ├── rollout.sh ├── start.sh └── wercker.yml /.gitignore: -------------------------------------------------------------------------------- 1 | public 2 | _* 3 | *deployment.yaml 4 | wercker_* 5 | Dockerfile 6 | .wercker 7 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | #Pull Request Guidelines 2 | 3 | * All pull requests should be a single commit, so that the changes can be observed 4 | and evaluated together. Here's the best way to make that happen: 5 | * Pull from this repo's 'master' branch to your local repo. All pull requests 6 | *must* be against the 'master' branch. 7 | * Create a local branch for making your changes: 8 | - git checkout master 9 | - git checkout -b mychangebranch 10 | * Do all your testing, fixing, etc., in that branch. Make as many commits 11 | as you need as you work. 12 | * When you've completed your changes, and and made sure that everything's working great, merge it back into working 13 | using the '--squash' option so that it appears as a single commit. 14 | - git checkout master 15 | - git merge --squash mychangebranch 16 | - git commit -am "Added super powers" 17 | - git push origin master 18 | * Now you have your changes in a single commit against your 'master' 19 | branch on GitHub, and can create the pull request. 20 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:jessie 2 | 3 | ENV CERT_RENEW_VERSION=v0.0.4 4 | 5 | RUN apt-get update \ 6 | && apt-get install -y \ 7 | curl \ 8 | wget \ 9 | openssh-client \ 10 | cron \ 11 | bc \ 12 | jq \ 13 | && rm -rf /var/lib/apt/lists/* 14 | 15 | # setup letsencrypt bot 16 | RUN wget https://dl.eff.org/certbot-auto && chmod a+x ./certbot-auto 17 | RUN echo "y" | DEBIAN_FRONTEND=noninteractive ./certbot-auto; exit 0 && \ 18 | ln -s /root/.local/share/cert-bot/bin/cert-bot /usr/local/bin/cert-bot && \ 19 | rm -rf /etc/letsencrypt 20 | 21 | RUN echo "Cert-Renew $CERT_RENEW_VERSION" > /root/.built && cat /root/.built 22 | 23 | # Pull down kubectl 24 | ENV KUBERNETES_VERSION=1.7.0 25 | RUN curl -s -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v$KUBERNETES_VERSION/bin/linux/amd64/kubectl && chmod +x /usr/bin/kubectl 26 | 27 | WORKDIR /cert-renew 28 | 29 | CMD ["/bin/bash"] 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2014 The Kubernetes Authors All rights reserved. 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cert-renew 2 | 3 | [![wercker status](https://app.wercker.com/status/cc5e1ccdb78685d6ff38efc8d3620ee1/m "wercker status")](https://app.wercker.com/project/bykey/cc5e1ccdb78685d6ff38efc8d3620ee1) 4 | 5 | A Docker image that is deployed on Kubernetes to auto-renew the [letsencrypt.org](https://letsencrypt.org) SSL/TLS certificates stored in a mounted volume, via Cron. 6 | 7 | This project began as a fork of [ployst/docker-letsencrypt](https://github.com/ployst/docker-letsencrypt) 8 | that does not use nginx, and therefore, does not directly handle the ACME requests sent by [letsencrypt.org](https://letsencrypt.org) on renewals. Rather, it relies on a separate webserver to handle the LetsEncrypt ACME request so that this microservice is solely focused on renewing the certs. 9 | 10 | For cert-renew to work, you must provide the following: 11 | 12 | - The configuration settings for the LetsEncrypt cert-bot tool, provided in a Kubernetes ConfigMap named `cert-renew-config`, defined as such as: 13 | 14 | ``` 15 | apiVersion: v1 16 | kind: ConfigMap 17 | metadata: 18 | name: cert-renew-config 19 | cert-renew: | 20 | #!/bin/bash 21 | 22 | export DOMAINS='example.com www.example.com' 23 | export EMAIL=joe@example.com 24 | export CRON_FREQUENCY="0 0 1 * *" 25 | export LETSENCRYPT_DIR="/srv/etc/letsencrypt" 26 | export LETSENCRYPT_ENDPOINT="https://acme-staging.api.letsencrypt.org/directory" 27 | 28 | ``` 29 | 30 | Config Options: 31 | 32 | - DOMAINS - a space separated list of domains to obtain a certificate for, enclosed in single quotes 33 | - i.e. DOMAINS='example.com www.example.com' 34 | - EMAIL - the email address to obtain certificates on behalf of. 35 | - i.e. EMAIL=joe@example.com 36 | - CRON_FREQUENCY - optional - the 5-part frequency schedule of the cron job. Default is a random 37 | time in the range `0-59 0-23 1-27 * *` if not specified. 38 | - i.e. "0 0 1 * *" will renew the certs at midnight on the 1st of every month 39 | - LETSENCRYPT_DIR - The path of the mounted volume holding your LetsEncrypt certs. You must supply the full /etc/letsencrypt directory created by LetsEncrypt upon initial cert generation. This project does not handle the initialization of your certs, only their renewal. 40 | - LETSENCRYPT_ENDPOINT - endpoint used to communicate with LetsEncrypt 41 | - i.e. testing endpoint: https://acme-staging.api.letsencrypt.org/directory 42 | - i.e. live endpoint: https://acme-v01.api.letsencrypt.org/directory 43 | 44 | ## Useful commands 45 | 46 | ### Manually renew the certs 47 | 48 | Once this container is running you can generate new certificates using: 49 | 50 | ``` 51 | kubectl exec -it -- /bin/bash -c "EMAIL=joe@example.com DOMAINS='example.com foo.example.com' LETSENCRYPT_DIR="/mycerts/etc/letsencrypt" LETSENCRYPT_ENDPOINT="https://acme-v01.api.letsencrypt.org/directory" ./fetch_certs.sh" 52 | ``` 53 | 54 | 55 | -------------------------------------------------------------------------------- /build_push.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | EXPECTEDARGS=3 4 | if [ $# -lt $EXPECTEDARGS ]; then 5 | echo "Usage: $0 " 6 | echo "i.e.: $0 corekube cert-renew 0.0.1" 7 | exit 0 8 | fi 9 | 10 | REPO=$1 11 | IMAGE=$2 12 | TAG=$3 13 | 14 | result=`docker build --rm -t $REPO/$IMAGE:$TAG .` 15 | echo "$result" 16 | 17 | echo "" 18 | echo "==========================================================" 19 | echo "" 20 | 21 | build_status=`echo $result | grep "Successfully built"` 22 | 23 | if [ "$build_status" ] ; then 24 | docker push $REPO/$IMAGE:$TAG 25 | fi 26 | -------------------------------------------------------------------------------- /clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # clean out k8s components 4 | 5 | EXPECTEDARGS=1 6 | if [ $# -lt $EXPECTEDARGS ]; then 7 | echo "Usage: $0 " 8 | exit 1 9 | fi 10 | 11 | APP_ENV=$1 12 | 13 | # repo envvars 14 | source repo-envvars.sh 15 | 16 | # k8s envvars 17 | NAMESPACE=$APP_NAME-$APP_ENV 18 | 19 | # clear everything 20 | kubectl --namespace=$NAMESPACE delete --ignore-not-found deployment $APP_NAME-deployment 21 | kubectl --namespace=$NAMESPACE delete --ignore-not-found configmap $APP_NAME-config 22 | kubectl --namespace=$NAMESPACE delete --ignore-not-found pvc $APP_NAME-nfs-pvc 23 | -------------------------------------------------------------------------------- /fetch_certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit 4 | set -o nounset 5 | set -o pipefail 6 | 7 | source /etc/config/cert-renew 8 | 9 | EMAIL=${EMAIL} 10 | DOMAINS=(${DOMAINS}) 11 | 12 | if [ -z "$DOMAINS" ]; then 13 | echo "ERROR: Domain list is empty or unset" 14 | exit 1 15 | fi 16 | 17 | if [ -z "$EMAIL" ]; then 18 | echo "ERROR: Email is empty string or unset" 19 | exit 1 20 | fi 21 | 22 | domain_args="" 23 | for i in "${DOMAINS[@]}" 24 | do 25 | domain_args="$domain_args -d $i" 26 | done 27 | 28 | /certbot-auto --no-self-upgrade certonly \ 29 | --authenticator webroot \ 30 | --server $LETSENCRYPT_ENDPOINT \ 31 | --webroot-path /etc/letsencrypt/webrootauth/ \ 32 | --email $EMAIL \ 33 | --renew-by-default \ 34 | $domain_args \ 35 | --agree-tos 36 | -------------------------------------------------------------------------------- /hack/setup-cert-renew.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p /cert-renew 4 | cp start.sh /cert-renew/ 5 | cp fetch_certs.sh /cert-renew/ 6 | cp refresh_ingress.sh /cert-renew/ 7 | -------------------------------------------------------------------------------- /k8s/dev/configmaps/cert-renew-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cert-renew-config 5 | data: 6 | cert-renew: | 7 | #!/bin/bash 8 | 9 | export DOMAINS='corekube.com www.corekube.com' 10 | export EMAIL="corekube@gmail.com" 11 | export LETSENCRYPT_DIR="/srv/etc/letsencrypt" 12 | export LETSENCRYPT_ENDPOINT="https://acme-staging.api.letsencrypt.org/directory" 13 | -------------------------------------------------------------------------------- /k8s/dev/deployment/create-cert-renew-deployment.yaml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat > cert-renew-deployment.yaml << EOF 4 | apiVersion: extensions/v1beta1 5 | kind: Deployment 6 | metadata: 7 | name: cert-renew-deployment 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: cert-renew 13 | env: dev 14 | template: 15 | metadata: 16 | labels: 17 | app: cert-renew 18 | env: dev 19 | rev: "${BUILD_COMMIT}" 20 | spec: 21 | containers: 22 | - name: cert-renew 23 | image: ${DOCKER_REPO}:${IMAGE_TAG} 24 | volumeMounts: 25 | - name: cert-renew-config 26 | mountPath: /etc/config 27 | - name: cert-renew-nfs-pvc 28 | mountPath: /srv/ 29 | volumes: 30 | - name: cert-renew-config 31 | configMap: 32 | name: cert-renew-config 33 | - name: cert-renew-nfs-pvc 34 | persistentVolumeClaim: 35 | claimName: cert-renew-nfs-pvc 36 | EOF 37 | -------------------------------------------------------------------------------- /k8s/dev/pvc/nfs-pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: cert-renew-nfs-pvc 5 | annotations: 6 | volume.beta.kubernetes.io/storage-class: slow 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 100M 13 | -------------------------------------------------------------------------------- /k8s/prod/configmaps/cert-renew-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cert-renew-config 5 | data: 6 | cert-renew: | 7 | #!/bin/bash 8 | 9 | export DOMAINS='corekube.com www.corekube.com' 10 | export EMAIL="corekube@gmail.com" 11 | export CRON_FREQUENCY="0 16 1 * *" 12 | export LETSENCRYPT_DIR="/srv/etc/letsencrypt" 13 | export LETSENCRYPT_ENDPOINT="https://acme-v01.api.letsencrypt.org/directory" 14 | -------------------------------------------------------------------------------- /k8s/prod/deployment/create-cert-renew-deployment.yaml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat > cert-renew-deployment.yaml << EOF 4 | apiVersion: extensions/v1beta1 5 | kind: Deployment 6 | metadata: 7 | name: cert-renew-deployment 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: cert-renew 13 | env: prod 14 | template: 15 | metadata: 16 | labels: 17 | app: cert-renew 18 | env: prod 19 | rev: "${BUILD_COMMIT}" 20 | spec: 21 | containers: 22 | - name: cert-renew 23 | image: ${DOCKER_REPO}:${IMAGE_TAG} 24 | volumeMounts: 25 | - name: cert-renew-config 26 | mountPath: /etc/config 27 | - name: cert-renew-nfs-pvc 28 | mountPath: /srv/ 29 | volumes: 30 | - name: cert-renew-config 31 | configMap: 32 | name: cert-renew-config 33 | - name: cert-renew-nfs-pvc 34 | persistentVolumeClaim: 35 | claimName: cert-renew-nfs-pvc 36 | EOF 37 | -------------------------------------------------------------------------------- /k8s/prod/pvc/nfs-pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: cert-renew-nfs-pvc 5 | annotations: 6 | volume.beta.kubernetes.io/storage-class: slow 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 100M 13 | -------------------------------------------------------------------------------- /k8s/stage/configmaps/cert-renew-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cert-renew-config 5 | data: 6 | cert-renew: | 7 | #!/bin/bash 8 | 9 | export DOMAINS='corekube.com www.corekube.com' 10 | export EMAIL="corekube@gmail.com" 11 | export LETSENCRYPT_DIR="/srv/etc/letsencrypt" 12 | export LETSENCRYPT_ENDPOINT="https://acme-staging.api.letsencrypt.org/directory" 13 | -------------------------------------------------------------------------------- /k8s/stage/deployment/create-cert-renew-deployment.yaml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat > cert-renew-deployment.yaml << EOF 4 | apiVersion: extensions/v1beta1 5 | kind: Deployment 6 | metadata: 7 | name: cert-renew-deployment 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: cert-renew 13 | env: stage 14 | template: 15 | metadata: 16 | labels: 17 | app: cert-renew 18 | env: stage 19 | rev: "${BUILD_COMMIT}" 20 | spec: 21 | containers: 22 | - name: cert-renew 23 | image: ${DOCKER_REPO}:${IMAGE_TAG} 24 | volumeMounts: 25 | - name: cert-renew-config 26 | mountPath: /etc/config 27 | - name: cert-renew-nfs-pvc 28 | mountPath: /srv/ 29 | volumes: 30 | - name: cert-renew-config 31 | configMap: 32 | name: cert-renew-config 33 | - name: cert-renew-nfs-pvc 34 | persistentVolumeClaim: 35 | claimName: cert-renew-nfs-pvc 36 | EOF 37 | -------------------------------------------------------------------------------- /k8s/stage/pvc/nfs-pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: cert-renew-nfs-pvc 5 | annotations: 6 | volume.beta.kubernetes.io/storage-class: slow 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 100M 13 | -------------------------------------------------------------------------------- /refresh_ingress.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cert_file=`ls -Art /etc/letsencrypt/archive/corekube.com/cert* | tail -n 1` 4 | chain_file=`ls -Art /etc/letsencrypt/archive/corekube.com/chain* | tail -n 1` 5 | fullchain_file=`ls -Art /etc/letsencrypt/archive/corekube.com/fullchain* | tail -n 1` 6 | privkey_file=`ls -Art /etc/letsencrypt/archive/corekube.com/privkey* | tail -n 1` 7 | 8 | fullchain=`cat $fullchain_file | base64 -w0` 9 | privkey=`cat $privkey_file | base64 -w0` 10 | 11 | cp /srv/k8s/secrets/nginx-tls-template.yaml /srv/k8s/secrets/nginx-tls.yaml 12 | sed -i "s##$fullchain#g" /srv/k8s/secrets/nginx-tls.yaml 13 | sed -i "s##$privkey#g" /srv/k8s/secrets/nginx-tls.yaml 14 | 15 | kubectl apply -f /srv/k8s/secrets/nginx-tls.yaml -n nginx-prod 16 | 17 | pushd /etc/letsencrypt/live/corekube.com/ 18 | ln -sf ../../archive/corekube.com/`basename $cert_file` cert.pem; 19 | ln -sf ../../archive/corekube.com/`basename $chain_file` chain.pem 20 | ln -sf ../../archive/corekube.com/`basename $fullchain_file` fullchain.pem 21 | ln -sf ../../archive/corekube.com/`basename $privkey_file` privkey.pem 22 | popd 23 | 24 | kubectl patch deploy/nginx-deployment -n nginx-prod --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}" 25 | -------------------------------------------------------------------------------- /repo-envvars.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # default values are intended for local usage rather than ci/cd env 4 | export BUILD_COMMIT=${WERCKER_GIT_COMMIT-`git rev-parse HEAD`} 5 | export BUILD_COMMIT=${BUILD_COMMIT:0:7} 6 | export BUILD_BRANCH=${WERCKER_GIT_BRANCH-`git rev-parse --abbrev-ref HEAD`} 7 | export APP_NAME=${WERCKER_APPLICATION_NAME-`basename $(git rev-parse --show-toplevel)`} 8 | export OWNER_NAME=${WERCKER_APPLICATION_OWNER_NAME-`whoami`} 9 | export OWNER_NAME=`echo $OWNER_NAME | awk '{print tolower($0)}'` 10 | export DOCKER_REPO=${DOCKER_REPO-corekube/$APP_NAME} 11 | export IMAGE_TAG="$OWNER_NAME-$BUILD_BRANCH-${BUILD_COMMIT:0:7}" 12 | -------------------------------------------------------------------------------- /rollout.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # rollout deployment to APP_ENV 4 | REPLACE_DEPLOYMENT=false 5 | 6 | while getopts ":re:" opt; do 7 | case $opt in 8 | r) 9 | REPLACE_DEPLOYMENT=true 10 | ;; 11 | e) 12 | APP_ENV=$OPTARG 13 | ;; 14 | \?) 15 | echo "Invalid option: -$OPTARG" >&2 16 | exit 1 17 | ;; 18 | :) 19 | echo "Option -$OPTARG requires an argument." >&2 20 | exit 1 21 | ;; 22 | esac 23 | done 24 | 25 | # repo envvars 26 | source repo-envvars.sh 27 | 28 | # k8s envvars 29 | NAMESPACE=$APP_NAME-$APP_ENV 30 | 31 | # apply persistent volume claim 32 | PVC_NAME=nfs-pvc 33 | PVC_FILEPATH=k8s/$APP_ENV/pvc/${PVC_NAME}.yaml 34 | kubectl --namespace=$NAMESPACE apply -f $PVC_FILEPATH 35 | 36 | # apply nginx configmap 37 | CONFIGMAP_NAME=$APP_NAME-config 38 | CONFIGMAP_FILEPATH=k8s/$APP_ENV/configmaps/${CONFIGMAP_NAME}.yaml 39 | kubectl --namespace=$NAMESPACE apply -f $CONFIGMAP_FILEPATH 40 | 41 | # apply || replace deployment 42 | DEPLOYMENT_FILEPATH=k8s/$APP_ENV/deployment/$APP_NAME-deployment.yaml 43 | pushd k8s/$APP_ENV/deployment > /dev/null 44 | ./create-$APP_NAME-deployment.yaml.sh 45 | popd > /dev/null 46 | 47 | if [ "$REPLACE_DEPLOYMENT" = true ] ; then 48 | ACTION=replace 49 | else 50 | ACTION=apply 51 | fi 52 | kubectl --namespace=$NAMESPACE $ACTION -f $DEPLOYMENT_FILEPATH 53 | -------------------------------------------------------------------------------- /start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/config/cert-renew 4 | 5 | # fwd logs to docker log collector 6 | ln -sf /dev/stdout /var/log/cert-renew.log 7 | 8 | # soft link /etc/letsencrypt locally from $LETSENCRYPT_DIR volume mount 9 | while [ ! -d "$LETSENCRYPT_DIR" ] 10 | do 11 | sleep 2 12 | done 13 | ls -alh $LETSENCRYPT_DIR 14 | rm -rf /etc/letsencrypt 15 | ln -s "$LETSENCRYPT_DIR" /etc/ 16 | 17 | # Once a month, fetch and save certs 18 | minute=$(echo $RANDOM % 60 | bc) 19 | hour=$(echo $RANDOM % 23 | bc) 20 | day=$(echo $RANDOM % 27 + 1 | bc) 21 | month_dow="* *" 22 | random_cron_frequency="$minute $hour $day $month_dow" 23 | CRON_FREQUENCY=${CRON_FREQUENCY:-"$(echo "$random_cron_frequency")"} 24 | 25 | echo "" 26 | echo "Configuring cron cron_entry..." 27 | echo "DOMAINS: " $DOMAINS 28 | echo "EMAIL: " $EMAIL 29 | echo "CRON frequency: " "$CRON_FREQUENCY" 30 | 31 | # create the entry and the cron-ready entry 32 | entry="DOMAINS='$DOMAINS' EMAIL=$EMAIL /bin/bash /cert-renew/fetch_certs.sh >> /var/log/cert-renew.log 2>&1 ; /bin/bash /cert-renew/refresh_ingress.sh" 33 | cron_entry="$CRON_FREQUENCY $entry" 34 | 35 | # enable the entry in cron 36 | echo "" 37 | echo "Enabling cron entry..." 38 | (crontab -u root -l; echo "$cron_entry") | crontab -u root - 39 | 40 | echo "" 41 | echo "List cron entries..." 42 | crontab -l 43 | 44 | # always run the entry on start 45 | echo "" 46 | echo "Run cron entry..." 47 | eval $entry 48 | 49 | # Start cron job 50 | echo "" 51 | echo "Starting cron job..." 52 | cron & 53 | 54 | # Sleep inifinitely 55 | echo "Sleeping infinitely to allow cron to run..." 56 | sleep infinity 57 | -------------------------------------------------------------------------------- /wercker.yml: -------------------------------------------------------------------------------- 1 | build: 2 | box: corekube/cert-renew:0.0.7 3 | # The steps that will be executed in the build pipeline 4 | steps: 5 | # Copy scripts to work with certs 6 | - script: 7 | name: copy files 8 | code: | 9 | ./hack/setup-cert-renew.sh 10 | 11 | # Source repo envvars for used to build Docker image 12 | - script: 13 | name: source repo envvars 14 | code: | 15 | source repo-envvars.sh 16 | 17 | # Build & push a Docker image 18 | - internal/docker-push: 19 | username: $DOCKER_USERNAME 20 | password: $DOCKER_PASSWORD 21 | tag: $IMAGE_TAG 22 | ports: "5000" 23 | repository: $DOCKER_REPO 24 | entrypoint: /cert-renew/start.sh 25 | 26 | # Notify slack 27 | after-steps: 28 | - metral/slack-notifier@1.2.2: 29 | url: $SLACK_URL 30 | channel: $SLACK_CHANNEL 31 | username: $SLACK_USER 32 | 33 | deploy: 34 | box: corekube/cert-renew:0.0.7 35 | # The steps that will be executed in the DEPLOY pipeline 36 | 37 | dev: 38 | # Setup kubectl 39 | - script: 40 | name: setup kubectl 41 | code: | 42 | curl -s -o /tmp/setup-kubectl.sh https://gist.githubusercontent.com/metral/28b34fd51ad6a625cb0258f335ed0001/raw/f0aae0450fc3ed9f538bc3ddb1ffcef203b35398/setup-kubectl.sh 43 | chmod +x /tmp/setup-kubectl.sh 44 | /tmp/setup-kubectl.sh 45 | 46 | # rollout 47 | - script: 48 | name: rollout to dev 49 | code: | 50 | ./rollout.sh -e dev 51 | 52 | # Stage deploy pipeline 53 | stage: 54 | box: corekube/cert-renew:0.0.7 55 | steps: 56 | # Setup kubectl 57 | - script: 58 | name: setup kubectl 59 | code: | 60 | curl -s -o /tmp/setup-kubectl.sh https://gist.githubusercontent.com/metral/28b34fd51ad6a625cb0258f335ed0001/raw/f0aae0450fc3ed9f538bc3ddb1ffcef203b35398/setup-kubectl.sh 61 | chmod +x /tmp/setup-kubectl.sh 62 | /tmp/setup-kubectl.sh 63 | 64 | # rollout 65 | - script: 66 | name: rollout to stage 67 | code: | 68 | ./rollout.sh -e stage 69 | 70 | # Notify slack of build status 71 | after-steps: 72 | - metral/slack-notifier@1.2.2: 73 | url: $SLACK_URL 74 | channel: $SLACK_CHANNEL 75 | username: $SLACK_USER 76 | 77 | # Prod deploy pipeline 78 | prod: 79 | box: corekube/cert-renew:0.0.7 80 | steps: 81 | # Setup kubectl 82 | - script: 83 | name: setup kubectl 84 | code: | 85 | curl -s -o /tmp/setup-kubectl.sh https://gist.githubusercontent.com/metral/28b34fd51ad6a625cb0258f335ed0001/raw/f0aae0450fc3ed9f538bc3ddb1ffcef203b35398/setup-kubectl.sh 86 | chmod +x /tmp/setup-kubectl.sh 87 | /tmp/setup-kubectl.sh 88 | 89 | 90 | # rollout 91 | - script: 92 | name: rollout to prod 93 | code: | 94 | ./rollout.sh -e prod 95 | 96 | # Notify slack of build status 97 | after-steps: 98 | - metral/slack-notifier@1.2.2: 99 | url: $SLACK_URL 100 | channel: $SLACK_CHANNEL 101 | username: $SLACK_USER 102 | --------------------------------------------------------------------------------