badouralix/rancher-auto-certs-v2

By badouralix

Updated over 3 years ago

Rancher operator managing certificates

Image

618

Rancher Auto Certs v2

Docker Cloud Build StatusDocker PullsDocker StarsDocker Image Version (latest by date)Docker Image Size (latest by date)

https://github.com/jonremy/rancher-auto-certs with wildcard support

DNS Provider setup

OVH
Environment Variable NameDescription
OVH_APPLICATION_KEYApplication key
OVH_APPLICATION_SECRETApplication secret
OVH_CONSUMER_KEYConsumer key
OVH_ENDPOINTEndpoint URL (ovh-eu or ovh-ca)

Create keys in https://eu.api.ovh.com/createToken/

FieldValue
Script namerancher-auto-certs-v2
Script descriptionResolve ACME DNS-01 challenge
ValidityUnlimited
RightsPOST /domain/zone/[FQDN]/record
RightsPOST /domain/zone/[FQDN]/refresh
RightsDELETE /domain/zone/[FQDN]/record/*

More documentation on https://github.com/ovh/go-ovh#use-the-api-for-a-single-user

Warning https://community.ovh.com/t/createtoken-invalid-account-password/12454/2

Configuring multiple providers

Environment variables are meant to be environment variables. But if a provider must be instantiated multiple times ( for instance for domains registered on different accounts ), these environment variables can be defined in the config file. See example.

HTTP Provider setup

ACME tokens will be written in /media/acme-challenge/.well-known/acme-challenge/.

Rancher setup

Environment Variable NameDescription
CATTLE_URLThe URL that is in the host registration
CATTLE_ACCESS_KEYAn access key for the environment that the service is being launched in
CATTLE_SECRET_KEYA secret key for the access key

These environment variables are automatically provisioned for service accounts. Add the following labels to the Rancher service:

KeyValueDescription
io.rancher.container.create_agenttrueUsed to indicate that the service account API keys will be passed as environment variables on each container
io.rancher.container.agent.roleenvironmentUsed to indicate what kind of role the account will be. The value to use for creating service accounts will be environment

More documentation on https://rancher.com/docs/rancher/v1.6/en/rancher-services/service-accounts/

Configuration

Configuration is stored in config/config.yml. See example.

It populates a globalConfig struct defined by the following:

type certConfig struct {
	AccountEmail       string `yaml:"account_email"`
	AccountKey         string `yaml:"account_key"`
	CA                 string
	Challenge          string
	CreateKeyIfMissing *bool `yaml:"create_key_if_missing"` // boolean pointer here to differentiate empty value from zero value
	Description        string
	Domains            []string
	DumpPath           string            `yaml:"dump_path,omitempty"`
	Env                map[string]string `json:",omitempty" yaml:",omitempty"`
	KeyType            string            `yaml:"key_type"`
	Name               string
	Provider           string `json:",omitempty" yaml:",omitempty"`
}

type defaultConfig struct {
	AccountEmail       string `yaml:"account_email"`
	AccountKey         string `yaml:"account_key"`
	CA                 string
	Challenge          string
	CreateKeyIfMissing bool `yaml:"create_key_if_missing"`
	Description        string
	DumpPath           string `yaml:"dump_path,omitempty"`
	KeyType            string `yaml:"key_type"`
	Provider           string `json:",omitempty" yaml:",omitempty"`
}

type globalConfig struct {
	Default defaultConfig
	Certs   []certConfig
}

Each missing key in certConfig is then populated by values from defaultConfig.

Docker Pull Command

docker pull badouralix/rancher-auto-certs-v2