Automating Certificate Synchronization from Kubernetes to AWS ACM
Introduction
Managing SSL/TLS certificates is a critical task for any organization that values security and user trust. In cloud-native environments, tools like cert-manager simplify certificate management within Kubernetes clusters. However, challenges arise when integrating certificates with external services like AWS Application Load Balancers, which rely on AWS Certificate Manager (ACM) for SSL termination.
In this blog post, we’ll explore a solution to automate the synchronization of certificates from Kubernetes secrets to AWS ACM, eliminating manual interventions and reducing the risk of certificate expiration.
The Problem
Currently, cert-manager cannot download and renew certificates from one certificate issuer (like Keyfactor) and upload them to another (like AWS ACM). Companies that need to use these certificates with AWS load balancers have to:
- Manually renew the certificate on Certificate Issuers (e.g. Keyfactor, Venafi etc. )
- Download the renewed certificate in .pem format.
- Decrypt and manually upload the certificate to AWS ACM.
This manual process is prone to errors and can lead to service disruptions if certificates expire unnoticed.
The Solution
Since cert-manager handles the auto-renewal of certificates and stores them in Kubernetes secrets, we can write a Kubernetes controller that watches these secrets and automatically syncs the certificates to AWS ACM.
Overview
The controller performs the following actions:
- Watches for changes in Kubernetes secrets of type
kubernetes.io/tlsevery 24 hours. - Filters secrets with a specific annotation (
sync-to-acm: "true"). - Extracts the certificate and private key from the secret.
- Checks if the certificate already exists in AWS ACM.
- If it exists and is nearing expiration (3 days before), it updates the certificate. [Assumption : cert-manager renews the tls secret atleast 4 days before expiry ]
- If it doesn’t exist, it imports the certificate into AWS ACM.
