Skip to content

kamijin-fanta/envoy-acme

Repository files navigation

envoy-acme

Obtain the certificate from Let's encrypt and configure it on the Envoy Proxy through SDS.

Currently, only DNS01 using Lego is supported. https://go-acme.github.io/lego/dns/

Commands usage

envoy-acme --help

NAME:
   envoy-acme - A new cli application

USAGE:
   envoy-acme [global options] command [command options] [arguments...]

COMMANDS:
   start    start sds server
   export   export cert, keys file from store
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --log-level value            (default: "info") [$LOG_LEVEL]
   --log-format value           (default: "text") [$LOG_FORMAT]
   --store value                (default: "consul") [$STORE]
   --store-file-base value      (default: "./data") [$STORE_FILE_BASE]
   --store-consul-prefix value  (default: "envoy-acme/default") [$STORE_CONSUL_PREFIX]
   --help, -h                   show help (default: false)

envoy-acme start --help

NAME:
   envoy-acme start - start sds server

USAGE:
   envoy-acme start [command options] [arguments...]

OPTIONS:
   --ca-dir value            (default: "https://acme-staging-v02.api.letsencrypt.org/directory") [$CA_DIR]
   --cert-days value         (default: 25) [$CERT_DAYS]
   --xds-listen value        (default: "127.0.0.1:20000") [$XDS_LISTEN]
   --interval value          (default: 1h0m0s) [$INTERVAL]
   --lock-timeout value      (default: 10m0s) [$LOCK_TIMEOUT]
   --config value, -c value  (default: "sites.yaml") [$CONFIG_FILE]
   --metrics-listen value    (default: "127.0.0.1:20001") [$METRICS_LISTEN]
   --help, -h                show help (default: false)

envoy-acme start --help

NAME:
   envoy-acme export - export cert, keys file from store

USAGE:
   envoy-acme export [command options] [arguments...]

OPTIONS:
   --name value  target configure name
   --dest value  output directory (default: ".")
   --help, -h    show help (default: false)

Configs

Sites config

# site.yaml
sites:
  - name: setting-names     # It will be the setting name of SDS
    provider: sakuracloud   # DNS-01 provider name in Lego
    email: [email protected]     # Your email address
    domains:                # Target domains
      - "example.com"
      - "*.example.com"
    legoenv:                # Environment variables required by the provider
      - SAKURACLOUD_ACCESS_TOKEN=********-****-****-****-**********
      - SAKURACLOUD_ACCESS_TOKEN_SECRET=****************************************************************
      - SAKURACLOUD_POLLING_INTERVAL=20
      - SAKURACLOUD_PROPAGATION_TIMEOUT=300

Dot env file

.env

LOG_LEVEL=debug  # For more information --help

Example envoy.yaml

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 80 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          route_config:
            name: route
            virtual_hosts:
            - name: app_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                direct_response:
                  status: 200
                  body:
                    inline_string: hello envoy
          http_filters:
          - name: envoy.router
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: "setting-name"
              sds_config:
                resource_api_version: v3
                api_config_source:
                  api_type: GRPC
                  transport_api_version: v3
                  grpc_services:
                    envoy_grpc:
                      cluster_name: envoy_acme_sds_cluster
  clusters:
  - name: envoy_acme_sds_cluster
    connect_timeout: 0.25s
    http2_protocol_options: {}
    load_assignment:
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: {address: 127.0.0.1, port_value: 20000 }