aws-service-operator icon indicating copy to clipboard operation
aws-service-operator copied to clipboard
verified publisher icon amazon-archives

Add Support for AWS Certificate Manager

Open chrissnell opened this issue 7 years ago • 6 comments

I would like to be able to attach ACM certs and keys to a pod for use as a Volume mount. I have some software that needs a TLS keypair on the local filesystem. I could use a Secret but that's ugly because I'd have to figure out how to update it when the cert is renewed.

The ideal solution would put the cert and key on the pod's filesystem (permissions appropriately set) and would keep them updated when the cert changes. Presumably, the pod would just be restarted when the cert changes...not sure how this would work.

An implied task for this issue is creating an ACM Certificate resource so that I could generate everything with one nice YAML.

chrissnell avatar Oct 10 '18 21:10 chrissnell

@chrissnell Interesting use case, we could make it so that the operator can create, update and delete the certs. Looking at what I can code generate, without having to custom build the operator, I'd be able to return the ARN of the KeyPair into a ConfigMap; I can't get the raw Cert data from the CFN outputs.

Would this be beneficial? We could automate the creation, and write the ARN to a ConfigMap or Secret and then your pod could mount that and before the application booted it fetched the data using the ARN… This wouldn't solve keeping the cert updated when it needed to be updated though.

christopherhein avatar Oct 11 '18 18:10 christopherhein

Hi @christopherhein , the ACM cert resource helps but I see it as more of an ancillary to this issue rather than the crux of it. The automated updating of keypair is what I'm after. That feels very much like a Kube operator kind of function. Operator gets assigned an IAM role to manage and retrieve certs, then manages the pods' volumes and pod restarts.

chrissnell avatar Oct 11 '18 18:10 chrissnell

You're right, it definitely does sounds like a great use for the / an operator. I'm contemplating how we could do this easily first with custom functions later like autorotating. Give the nature of these operators being built from yaml definitions - https://github.com/awslabs/aws-service-operator/tree/master/models absolutely think this could be added.

christopherhein avatar Oct 11 '18 19:10 christopherhein

We have been using ACM certs on LBs, and pretty familiar with some of these operations. I think the best initial support for ACM would be the automatic provisioning of certificates based on a loadbalancer annotation.

eldondevat avatar Feb 26 '19 17:02 eldondevat

Right now, I have to create the cert and associated components, and then manually copy the ARN into my LB config.

eldondevat avatar Feb 26 '19 17:02 eldondevat

We have been using ACM certs on LBs, and pretty familiar with some of these operations. I think the best initial support for ACM would be the automatic provisioning of certificates based on a loadbalancer annotation.

Interesting, this would be very cool. Might be something we can accommodate, first pass at this will likely involve purely creating the resources as CRDs. Adding the custom hooks to pull inject the ARN might need to be a secondary addition, but I really like the idea.

christopherhein avatar Feb 26 '19 18:02 christopherhein