Your buddy to keep sslmate certs in sync with kubernetes cluster
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

The project is halted at the moment and has a severe bugg that makes it more or less unusable, please see open issues if you wish to help


Your buddy to keep sslmate certificates synchronized with your Kubernetes cluster

*Reloads it's internal config map every 1 minute
*Checks for new SSLmate certificates to download at start & every 60 minutes

At startup all certs are downloaded and pushed / created according to mappings in configmap

If configmap is updated changes will be propagated within 1 minute

If new SSL certs are added to the privatekey configMap they will be added at the next run ( every 60 minute ) This can be speedup by removing the pod and thereby forcing a complete propagation of all certs.


dep init dep ensure^2.0.0

Local testing

When started in a local docker the K8S clientcmd package is used and will need a config file containing certs / token to talk to a K8S cluster

docker run --rm -it --name k8s-sslmate -e SSLMATE_API_KEY="YourSSLmateAPIkey" -v /path/to/.kube:/opt/.kube roffe/k8s-sslmate

Deployment to K8S

There are deployment manifests included in this repo:


Attention!: k8s-sslmate assumes that the lowercase word 'star' is used for wildcard certificates and will configure SSLmate to act accordingly!

To create a secret containing your privatekeys used with SSLmate issue the following after creating the namespace

kubectl create secret generic sslmate-private-keys --from-file=domain.tld.key --from-file=star.somedomain.tld.key --namespace k8s-sslmate


Creates the namespace k8s-sslmate where the application will be running

kubectl create -f manifests/00-namespace.yaml


Edit to suit your needs. The mapping is very simple where the domain name is the key and a comma separated list after is the namespaces to deploy the CERTs to.

kubectl create -f manifests/01-configmap.yaml


Base64 encode your SSLmate API key and insert into the template. then create with

kubectl create -f manifests/02-sslmate-api-key.yaml


The actuall deployment. It will reference your sslmate-api-key secret and use as a environment variable

k8s-sslmate CLI reference


Set the SSLmate cert directory, default /etc/sslmate/keys/


Set the SSLmate key directory, default /etc/sslmate/keys/


Set the path to your kubernetes config, default /opt/.kube/config