Add README for the project (#5)

mstiri · web-flow · commit 42ea750c6627 · 2023-03-05T21:14:07.000+01:00
diff --git a/README.md b/README.md
@@ -0,0 +1,167 @@
+# Kube Cert ACM
+
+
+
+Automatically synchronize [cert-manager](https://github.com/cert-manager/cert-manager) generated Certificates to [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) from your Kubernetes cluster.
+
+
+## How does it work
+
+kube-cert-acm is a chart that creates a Deployment in your Kubernetes cluster.
+
+It reads its configuration from a config file that is mounted from a ConfigMap. The ConfigMap lists the certificates to be imported from the cluster to ACM.
+
+It gets these Certificates on a regular basis, and if different from the ones on ACM, updates them on AWS. The check interval is configured on the Helm chart.
+
+These certificates are supposed to be generated by cert-manager and are defined in a Certificate CRD.
+
+
+This chart has been tested on an EKS cluster for the following Kubernetes versions:
+
+-   Kubernetes 1.21 ✅
+-   Kubernetes 1.22 ✅
+-   Kubernetes 1.23 ✅
+-   Kubernetes 1.24 ✅
+-   Kubernetes 1.25 ✅
+
+It has also been tested with certificates generated with the following versions of cert-manager charts:
+
+-   cert-manager 1.9.1 ✅
+-   cert-manager 1.9.2 ✅
+-   cert-manager 1.10.0 ✅
+-   cert-manager 1.11.0 ✅
+
+It has been tested for Let's Encrypt certificates generated using cert-manager.
+
+# Installation
+
+kube-cert-acm can be installed using the official helm chart:
+
+**TODO**: Add helm Repo 
+
+```bash
+helm install kube-cert-acm <repo>/kube-cert-acm --set aws.region="<AWS_REGION>" \
+	--set serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn="arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
+	-f values.yaml
+
+```
+
+The values will contain for example the list of certificates to by imported to ACM. Details on the next section
+
+# Configuration
+
+### Certificates Configuration
+
+The pod takes its configuration from a ConfigMap that is supposed to list all the certificates to be watched and synced. The ConfigMap is provided to the chart via the key `certificatesConfig`
+
+The list of Certificates to be synchronized is provided via a config file to the Chart.
+
+Example:
+
+```yaml
+certificatesConfig:
+  certificates_config.yaml: |
+    - cert: podinfo.dev.softcloudhq.io
+      namespace: test
+      domain_name: "podinfo.dev.softcloudhq.io"
+    - cert: podinfo.demo.softcloudhq.io
+      namespace: demo
+      domain_name: "podinfo.demo.softcloudhq.io"
+
+```
+
+### Other configurations
+
+The check interval is configured via the key `checkIntervalSeconds` :
+
+```yaml
+
+checkIntervalSeconds: "30"
+
+```
+
+## RBAC Configuration
+
+The helm chart configures a Cluster Role for kube-cert-acm in order to be able to read Certificates and Secrets from different namespaces in the cluster.
+
+The rule to get **Certificates**:
+
+```yaml
+- apiGroups: ["cert-manager.io"]
+  resources: ["certificates"]
+  verbs: ["get"]
+
+```
+
+A rule to get the **Secret** containing the actual certificate and private key:
+
+```yaml
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+
+```
+
+## IAM Role Configuration
+
+kube-cert-acm needs to access AWS ACM to import Certificates. It is recommended to use a dedicated IAM role specifically for this task that only allows the required actions.
+
+kube-cert-acm requires the following actions to synchronise certificates to ACM. The following policy is to be attached to the kube-cert-acm IAM role:
+
+```json
+{
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Effect": "Allow",
+            "Resource": "*",
+            "Sid": ""
+        },
+        {
+            "Action": "acm:ListCertificates",
+            "Effect": "Allow",
+            "Resource": "*",
+            "Sid": ""
+        },
+        {
+            "Action": [
+                "acm:UpdateCertificateOptions",
+                "acm:ListTagsForCertificate",
+                "acm:ImportCertificate",
+                "acm:GetCertificate",
+                "acm:ExportCertificate",
+                "acm:DescribeCertificate",
+                "acm:AddTagsToCertificate"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*",
+            "Sid": ""
+        }
+    ],
+    "Version": "2012-10-17"
+}
+
+```
+
+The Helm chart suppose IRSA is used and expects the Service Account to be annotated with the required IAM role. More details on IRSA on the [official documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+
+# Roadmap
+
+-   [ ] Do not rely only on Certificates generated by cert-manager. Support importing certificates from Kubernetes Secrets generally
+-   [ ] Provide more flexible configuration to import certificates to different AWS regions
+-   [ ] Support configuration through annotations on Kubernetes Secrets, without needing a ConfigMap
+
+
+
+# Contribution
+
+This project has been built to fit a specific need: import a list of certificates from Kubernetes to ACM. A lot of work is still to be done to make it fit other use cases.
+
+Contributions are highly appreciated.
+
+To contribute:
+
+-   Fork the project
+-   Create a branch
+-   Make your contribution
+-   Open a Pull Request
