flywithu/community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update letsencrypt to 0.5.0

Browse Source
This commit is contained in:
Anner J. Bonilla 2017-08-02 09:38:27 -04:00
parent 9aabfd44bb
commit 56199081f8
4 changed files with 381 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
templates/letsencrypt/4/README.md Normal file
View File

@ -0,0 +1,101 @@
# Let's Encrypt Certificate Manager
### About
The Let's Encrypt Certificate Manager obtains a free (SAN) SSL Certificate from the [Let's Encrypt CA](https://letsencrypt.org/) and adds it to Rancher's certificate store. Once the certificate is created it is scheduled for automatic renewal 20-days before expiration. Rancher load balancer services are automatically updated to use the renewed certificate.
### Changelog v0.5.0
- Added support for Aurora DNS, Azure DNS and NS1
- Added support for stopping container after creating/renewing certificate
- Added configuration option to specify DNS resolvers to use (fixes an issue with private zones on AWS)
- Added configuration option to specify renewal grace period
- Added support for Rancher servers using self-signed certs
- Logs now contain ACME library messages
### Usage
1. Accept the terms of service.
2. Select the API version to use. The Sandbox API should be used for testing purposes.
3. Fill in your email address.
4. Enter the name used for storing the certificate in Rancher and volumes. Any existing certificate by that name will be updated.
5. Enter one or more domain names. The first domain will be used as the Common Name property of the certificate.
6. Fill in the required credentials for the chosen provider. Note provider specific usage notes below.
If you want the certificate to be automatically renewed, leave the service running. Otherwise you may remove the service once the certificate has appeared in Rancher's certificate store.
### Store data in a persistent volume
If you specify a name under "Volume Name" then account data, certificate and private key are stored in a (host scoped) Docker volume with the specified name.
To store the data in a stack scoped volume that can be shared with services running on other hosts, you should provide the name of an already active persistent storage service under "Persistent Storage Driver". See the [Storage Service documentation](https://docs.rancher.com/rancher/v1.3/en/rancher-services/storage-service/).
#### Example
1. Configure the service with a volume named "letsencrypt".
2. Mount the volume to `/etc/letsencrypt` in another service.
This service can then access the certificate and key in the following locations:
- `/etc/letsencrypt/production/certs/<certificate name>/fullchain.pem`
- `/etc/letsencrypt/production/certs/<certificate name>/privkey.pem`
where `<certificate name>` is the name of the certificate sanitized to consist of only the following characters: `[a-zA-Z0-9-_.]`.
### Provider specific usage
#### AWS Route 53
Note: If you have both a private and public zone for the domain, make sure you configure the service to use public DNS resolvers (the default ones are fine).
The following IAM policy describes the minimum permissions required when using AWS Route 53 for domain authorization.
Replace `<HOSTED_ZONE_ID>` with the ID of the hosted zone that encloses the domain(s) for which you are going to obtain certificates. You may use a wildcard (*) in place of the ID to make this policy work with all of the hosted zones associated with an AWS account.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListHostedZonesByName"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/<HOSTED_ZONE_ID>"
]
}
]
}
```
#### OVH
First create your credentials on https://eu.api.ovh.com/createToken/ by filling out the form like this:
- `Account ID`: Your OVH account ID
- `Password`: Your password
- `Script name`: letsencrypt
- `Script description`: Letsencrypt for Rancher
- `Validity`: Unlimited
- `Rights`:
- GET /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Then deploy this service using the generated key, application secret and consumer key.
#### HTTP
If you prefer not to use a DNS-based challenge or your provider is not supported, you can use the HTTP challenge.
Simply choose `HTTP` from the list of providers.
Then make sure that HTTP requests to `domain.com/.well-known/acme-challenge` are forwarded to port 80 of the `rancher-letsencrypt` service, e.g. by configuring a Rancher load balancer accordingly. Make sure the reverse proxy passes the original `host` header to the backend.
### Suggestions & bug reports
Please submit suggestions or any issues you find to the [rancher-letsencrypt](https://github.com/janeczku/rancher-letsencrypt) GitHub repo.

53
templates/letsencrypt/4/docker-compose.yml.tpl Normal file
View File

@ -0,0 +1,53 @@
version: '2'
services:
letsencrypt:
image: janeczku/rancher-letsencrypt:v0.5.0
environment:
EULA: ${EULA}
API_VERSION: ${API_VERSION}
CERT_NAME: ${CERT_NAME}
EMAIL: ${EMAIL}
DOMAINS: ${DOMAINS}
PUBLIC_KEY_TYPE: ${PUBLIC_KEY_TYPE}
RENEWAL_TIME: ${RENEWAL_TIME}
PROVIDER: ${PROVIDER}
CLOUDFLARE_EMAIL: ${CLOUDFLARE_EMAIL}
CLOUDFLARE_KEY: ${CLOUDFLARE_KEY}
DO_ACCESS_TOKEN: ${DO_ACCESS_TOKEN}
AWS_ACCESS_KEY: ${AWS_ACCESS_KEY}
AWS_SECRET_KEY: ${AWS_SECRET_KEY}
DNSIMPLE_EMAIL: ${DNSIMPLE_EMAIL}
DNSIMPLE_KEY: ${DNSIMPLE_KEY}
DYN_CUSTOMER_NAME: ${DYN_CUSTOMER_NAME}
DYN_USER_NAME: ${DYN_USER_NAME}
DYN_PASSWORD: ${DYN_PASSWORD}
VULTR_API_KEY: ${VULTR_API_KEY}
OVH_APPLICATION_KEY: ${OVH_APPLICATION_KEY}
OVH_APPLICATION_SECRET: ${OVH_APPLICATION_SECRET}
OVH_CONSUMER_KEY: ${OVH_CONSUMER_KEY}
GANDI_API_KEY: ${GANDI_API_KEY}
AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
AZURE_SUBSCRIPTION_ID: ${AZURE_SUBSCRIPTION_ID}
AZURE_TENANT_ID: ${AZURE_TENANT_ID}
AZURE_RESOURCE_GROUP: ${AZURE_RESOURCE_GROUP}
volumes:
- /var/lib/rancher:/var/lib/rancher
- lets-encrypt:/etc/letsencrypt
labels:
io.rancher.container.create_agent: 'true'
io.rancher.container.agent.role: 'environment'
{{- if eq .Values.RUN_ONCE "true" }}
io.rancher.container.start_once: "true"
{{- end }}
{{- if .Values.VOLUME_NAME}}
volumes:
{{.Values.VOLUME_NAME}}:
{{- if .Values.STORAGE_DRIVER}}
driver: {{.Values.STORAGE_DRIVER}}
{{- if .Values.STORAGE_DRIVER_OPT}}
driver_opts:
{{.Values.STORAGE_DRIVER_OPT}}
{{- end }}
{{- end }}
{{- end }}

226
templates/letsencrypt/4/rancher-compose.yml Normal file
View File

@ -0,0 +1,226 @@
.catalog:
name: Let's Encrypt
version: 0.5.0
description: Trusted SSL certificates at zero cost
minimum_rancher_version: v1.5.0
questions:
- variable: EULA
label: I Agree to the Let's Encrypt TOS
description: |
Read https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf
required: true
type: enum
options:
- "Yes"
- "No"
- variable: API_VERSION
label: Let's Encrypt API Version
description: |
Select the Let's Encrypt API endpoint used for issuing the certificate.
Use `Sandbox` for testing your configuration.
required: true
type: enum
default: Production
options:
- Production
- Sandbox
- variable: EMAIL
label: Your Email Address
description: |
Enter the email address to use for creating the Let's Encrypt account.
required: true
type: string
- variable: CERT_NAME
label: Certificate Name
description: |
Name for storing the certificate in the Rancher API and in volumes.
Any existing certificate by that name will be updated.
required: true
type: string
- variable: DOMAINS
label: Domain Names
description: |
Comma delimited list of the certificate domains starting with the Common Name.
E.g: `example.com, dev.example.com`.
required: true
type: string
- variable: PUBLIC_KEY_TYPE
label: Public Key Algorithm
description: |
Select one of the available key types.
required: true
type: enum
default: RSA-2048
options:
- RSA-2048
- RSA-4096
- RSA-8192
- ECDSA-256
- ECDSA-384
- variable: RENEWAL_TIME
label: Renewal Time of Day (00-23)
description: |
Set the time of day (UTC in hours) at which certificate renewals should be run.
default: 12
required: true
type: int
- variable: RENEWAL_PERIOD_DAYS
label: Renewal Grace Period
description: |
Number of days before expiration the certificate should be renewed / become eligible for renewal.
default: 20
required: true
type: int
- variable: RUN_ONCE
label: Run Once
description: |
Stop the service after creating or renewing the certificate instead of continously running and managing renewal.
required: true
type: boolean
default: false
- variable: DNS_RESOLVERS
label: DNS Resolvers
description: |
Comma delimited list of DNS resolvers used to check propagation of ACME TXT record.
If empty the DNS resolvers configured in your hosts /etc/resolv.conf are used.
required: false
default: "8.8.8.8:53,8.8.4.4:53"
type: string
- variable: VOLUME_NAME
label: Volume Name (Optional)
description: |
To store the account data, certificates and private keys in a volume, enter the volume name that should be used.
By default this will be a (host scoped) named Docker volume. See "Persistent Storage Driver" for other options.
required: false
type: string
- variable: STORAGE_DRIVER
label: Volume Storage Driver (Optional)
description: |
To use a stack scoped volume backed by a persistent storage service, enter the name
of an existing storage driver (see `Infrastructure -> Storage`). This also requires "Volume Name" to be set.
required: false
type: string
- variable: STORAGE_DRIVER_OPT
label: Storage Driver Option (Optional)
description: |
Specify a single "driver_opts" key/value pair in the format "optionName: optionValue".
E.g. for the `rancher-ebs` driver you should specify the required 'size' option like this: "size: 1".
required: false
type: string
- variable: PROVIDER
label: Domain Validation Method
description: Select a DNS provider to use for domain validation. Use 'HTTP' if your domain is hosted elsewhere.
required: true
type: enum
options:
- CloudFlare
- DigitalOcean
- DNSimple
- Dyn
- Gandi
- Ovh
- Route53
- Vultr
- HTTP
- Azure
- NS1
- variable: AWS_ACCESS_KEY
label: AWS Route53 Access Key Id
description: Enter the Access Key Id for your AWS account.
type: string
required: false
- variable: AWS_SECRET_KEY
label: AWS Route53 Secret Access Key
description: Enter the Secret Access Key for your AWS account.
type: password
required: false
- variable: AZURE_CLIENT_ID
label: Azure Client ID
description: Enter the Client Id for your Azure account.
type: string
required: false
- variable: AZURE_CLIENT_SECRET
label: Azure Client Secret
description: Enter the Access Key Id for your Azure account.
type: password
required: false
- variable: AZURE_SUBSCRIPTION_ID
label: Azure Subscription Id
description: Enter the Azure Subscription Id for your Azure account.
type: string
required: false
- variable: AZURE_TENANT_ID
label: Azure Tenant Id
description: Enter the Azure Tenant Id for your Azure account.
type: string
required: false
- variable: AZURE_RESOURCE_GROUP
label: Azure Resource Group
description: Enter the Azure Resource Group for your Azure account.
type: string
required: false
- variable: CLOUDFLARE_EMAIL
label: CloudFlare Email Address
description: Enter the email address associated with your CloudFlare account.
type: string
required: false
- variable: CLOUDFLARE_KEY
label: CloudFlare API Key
description: Enter the Global API Key for your CloudFlare account.
type: password
required: false
- variable: DO_ACCESS_TOKEN
label: DigitalOcean API Access Token
description: Enter the Personal Access Token for your DigitalOcean account.
type: password
required: false
- variable: DNSIMPLE_EMAIL
label: DNSimple Email Address
description: Enter the email address associated with your DNSimple account.
type: string
required: false
- variable: DNSIMPLE_KEY
label: DNSimple API Key
description: Enter your DNSimple API key.
type: password
required: false
- variable: DYN_CUSTOMER_NAME
label: Dyn Customer Name
description: Enter your Dyn customer name.
type: string
required: false
- variable: DYN_USER_NAME
label: Dyn User Name
description: Enter your Dyn user name.
type: string
required: false
- variable: DYN_PASSWORD
label: Dyn Password
description: Enter your Dyn password.
type: password
required: false
- variable: GANDI_API_KEY
label: Gandi API Key
description: Enter the API key for your Gandi account.
type: password
required: false
- variable: OVH_APPLICATION_KEY
label: OVH Application Key
description: Enter your OVH application key.
type: string
required: false
- variable: OVH_APPLICATION_SECRET
label: OVH Application Secret
description: Enter your OVH application secret.
type: password
required: false
- variable: OVH_CONSUMER_KEY
label: OVH Consumer Key
description: Enter your OVH consumer key.
type: password
required: false
- variable: VULTR_API_KEY
label: Vultr API Key
description: Enter the API key for your Vultr account.
type: password
required: false

2
templates/letsencrypt/config.yml
View File

@ -1,7 +1,7 @@
name: Let's Encrypt name: Let's Encrypt
description: | description: |
Trusted SSL certificates at zero cost Trusted SSL certificates at zero cost
version: 0.4.0 version: 0.5.0
category: Security category: Security
maintainer: Jan Bruder <jan@rancher.com> maintainer: Jan Bruder <jan@rancher.com>
license: The MIT License license: The MIT License