This repository contains source code for the AWS Controllers for Kubernetes (ACK) service controller for AWS Private Certificate Authority.
Please log issues and feedback on the main AWS Controllers for Kubernetes Github project.
The ACK service controller for AWS Private Certificate Authority supports the following resources:
- CertificateAuthority
- Certificate
- CertificateAuthorityActivation
The ACK service controller for AWS Private Certificate Authority is free of charge. With AWS Private Certificate Authority (AWS Private CA), you pay a monthly fee for the operation of each private certificate authority (CA), the private certificates you issue each month, and the use of the Online Certificate Status Protocol (OCSP). Learn more about AWS Private Certificate Authority Pricing.
Go to the samples directory and follow the README to create resources.
After creating your CA hierarchy via the ACK service controller for AWS Private Certificate Authority, you can use cert-manager and the AWS Private CA Issuer Plugin to deploy managed private certificates in your cluster.
The ACK service controller for AWS Private Certificate Authority uses Kubernetes Secrets to store certificate and certificate chains. Users are expected to create Secrets before creating Certificate and CertificateAuthorityActivation resources. As these resources are created, the Secrets will be injected with either the certificate or certificate chain. Users are responsible for deleting Secrets.
Before creating the Certificate resource, users must specify the namespace, name, and key of the Secret using the certificateOutput field of the Certificate resource, as shown below. If a namespace isn't specified, the namespace of the Certificate resource will be used.
apiVersion: v1
kind: Secret
metadata:
name: certificate-secret
namespace: default
data:
certificate: ""
---
apiVersion: acmpca.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
name: my-certificate
spec:
certificateOutput:
namespace: default
name: certificate-secret
key: certificate
...
Before creating the CertificateAuthorityActivation resource, users must specify the namespace, name, and key of the Secret using the completeCertificateChainOutput field of the CertificateAuthorityActivation resource, as shown below. If a namespace isn't specified, the namespace of the CertificateAuthorityActivation resource will be used.
apiVersion: v1
kind: Secret
metadata:
name: certificate-chain-secret
namespace: default
data:
certificateChain: ""
---
apiVersion: acmpca.services.k8s.aws/v1alpha1
kind: CertificateAuthorityActivation
metadata:
name: my-ca-activation
spec:
completeCertificateChainOutput:
namespace: default
name: certificate-chain-secret
key: certificateChain
...
We welcome community contributions and pull requests.
See our contribution guide for more information on how to report issues, set up a development environment, and submit code.
We adhere to the Amazon Open Source Code of Conduct.
You can also learn more about our Governance structure.
This project is licensed under the Apache-2.0 License.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
