Cert-i-bot - SSL/TLS Automation for GKE Clusters

certbot ssl automation istio gke slack notifications 08-10-2024 ⚡️ Check it out! ⚡️

Introduction

Certbot is a powerful tool for automating SSL/TLS certificate management using Let’s Encrypt.

In this solution,I’ve built a microservice container that runs as a Kubernetes cron job, automating the renewal of SSL/TLS certificates to ensure secure communication within a Google Kubernetes Engine (GKE) cluster, integrating with Istio and Load Balancers to enable mutual TLS (mTLS).

📌 Technology Stack: Certbot, Let’s Encrypt, Istio, GKE, Slack & Email Notifications

Why Automate SSL Certificates?

SSL/TLS certificates issued by Let’s Encrypt are used to secure service communications.

These certificates have a short lifespan of 3 months, requiring regular renewals.

Manual renewal is tedious and prone to errors, so I’ve implemented an automated solution to handle this process.

Automated Process Overview

The certificate renewal process is scheduled to run every two months, ensuring up-to-date security across the cluster. Here’s how the automation works:

Certbot Workflow

  1. Download Existing Certificates: Retrieves the current certificates from the Cloud Storage bucket.
  2. Renew Certificates: Renews SSL certificates through Let’s Encrypt.
  3. Update Certificate Manager: Attaches the renewed certificate to the Ingress for external traffic.
  4. Update K8s Secrets: Refreshes the Kubernetes secret used by Istio for mTLS within the cluster.
  5. Backup to Cloud Storage: Uploads the renewed certificates back to the Cloud Storage bucket for safekeeping.
  6. Notify Teams: Sends a renewal update via Slack and email to keep teams informed.

Troubleshooting

In case of renewal failure, here’s a quick manual fallback:

  1. Manual Certificate Issue: Use the command below to manually generate a certificate. 
    certbot certonly --manual --preferred-challenges=dns --email ${EMAIL} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d ${DOMAIN_NAME}
  2. Setup and Configure: Copy the issued certificate files, configure the Load Balancer, and update Kubernetes secrets.
  3. Cloud Backup: Upload the manually issued certificates to Cloud Storage.

Certificate Renewal Limitations

Let’s Encrypt imposes rate limits on certificate renewals. Be mindful of these limits to avoid disruptions.

With this automated solution, managing SSL certificates becomes effortless, ensuring seamless security across the GKE cluster. Certbot handles the heavy lifting, while Slack and email notifications keep the team in the loop.

Author's photo

Nihit Jain

Architecting DevOps 🏗️ with Data, AI, Security, & IoT on Cloud ☁️




See other articles:

Projects

View More