This repository can be used to build two images to generate and install certificates using certbot in a Rancher environment. Note that if you have the required admin permissions you should look at a cert-manager based solution.
This repository builds two containers:
Dockerfile.nginx
(openchemistry/certbot-nginx) - A nginx container that will expose.well-known/acme-challenge
for a give host. The NGINX_HOST environment variable is used to setserver_name
.Dockerfile.rancher
openchemistry/certbot-rancher) - A certbot/certbot based container with add hooks to copy certificates into a Rancher certificate.
Several workloads need to be created from the two images.
This workload needs to be created from the openchemistry/certbot-nginx
image.
It expose .well-known/acme-challenge that is generated by certbot. A volume should
mounted at /usr/share/nginx/html
, this volume will also be mounted into the
second workload.
The following environment variables must be configured on the workload:
NGINX_HOST
- This should be the domain that a certificate is being requested for.
The appropriate ingress should be setup to allow 80 to be routed to this workload.
You will need two workloads here, one to do the initial setup (with an entrypoint
of /scripts/setup.sh
) this one will just be used once ( can be run as a Job ).
The second should be setup on a cron schedule to renew the certificate (with an
entrypoint of /scripts/renew.sh
).
These workload needs to be created from the openchemistry/certbot-rancher
they will
be used to execute the certbot commands. The volume attached to the NGINX workload
should be mount to /data/letsencrypt
, this is where certbot will write the
challenge. A second volume should be mounted at /etc/letsencrypt
, this is where
certbot will write the certificates.
The following environment variables must be configured on these workloads:
DOMAIN
- The domain that the SSL cert is to be generated for.CERT_NAME
- The name to give the SSL cert in Rancher.NAMESPACE
- The Rancher namespace to create the certificate in.ENDPOINT_URL
- The to use to login to Rancher (for example: https://rancher2.spin.nersc.gov/v3).CONTEXT
- The rancher project id.EMAIL
- The email for certbot to use for notifications.
The following secret should be mounted into the workload:
/secrets/bearer-token
- This should contain the bearer token to be used forrancher login
.
The image provides two script that can be used as entrypoints:
/scripts/setup.sh
- Run to create the initial certificate./scripts/renew.sh
- Run periodically to renew the certificate it necessary.
Once the initial setup workload job has been execute a Rancher certificate will have been created and can be used by the appropriate ingress.