Generating Certificates using Certbot (as a CronJob) within Kubernetes

12/15/2018

I've unsuccessfully been trying to create a simple "run" command using kubectl whereby the container is started and passed in the (partial) arguments to initially create my certificates (which I will initially do manually through PowerShell) and could do with some input from the community.

My Environment:

  • (Local) Windows 10 with PowerShell
  • (Remote) Azure Kubernetes Cluster

My efforts consist of two key commands, the first being the creation of the overrides (in JSON) for the container (primarily so I can mount the Azure File Shares where I want certificates to be stored):

$override= '{ "spec": { "template": { "spec": { "containers": [ { "name": "certbot", "image": "certbot/certbot", "stdin": true, "tty": true, "volumeMounts": [{ "name": "certdata", "mountPath": "/etc/letsencrypt" }] } ], "volumes": [{ "name": "certdata", "persistentVolumeClaim": { "claimName": "azure-fileshare" } }] } } } }' | ConvertTo-Json

The second is then the kubectl run command which would be used as the basis for the CronJob (creating the CronJob itself is my next task once I've gotten this working correctly):

kubectl run -i --rm --tty certbot --namespace=prod --overrides=$override --image=certbot/certbot -- certonly --manual

I've been trying a number of variations, and this approach seems the cleanest. However, I'm currently getting the following response from Kubernetes:

Error attaching, falling back to logs: unable to upgrade connection: container certbot not found in pod certbot-9df67bd65-w96rq_prod
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

The latter part of the warning indicates that certbot is not receiving any of the arguments (in this case "certonly" and "--manual"), but I can't figure out quite where I'm going wrong. I feel like I've sanity checked the commands with both the Kubernetes & certbot docs and can't see any obvious issues.

Can anyone point out the gremlin here?

Note: I've successfully tested this approach using Docker locally, and am now trying to recreate this within Azure.

-- Matt Woodward
azure
azure-aks
azure-kubernetes
kubectl
kubernetes

1 Answer

12/15/2018

You dont need to create a image from image to do that, just create a pod like this:

apiVersion: v1
kind: Pod
metadata:
  name: certbot
spec:
  containers:
  - name: certbot
    image: certbot/certbot
    command: ["/bin/sh"] << this overrides entrypoint
  restartPolicy: Never

https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/

-- 4c74356b41
Source: StackOverflow