Route53 LEGO (K8s)

  • Canonical Telco
Channel Revision Published Runs on
latest/stable 90 04 Jul 2024
Ubuntu 22.04
latest/candidate 90 04 Jul 2024
Ubuntu 22.04
latest/beta 90 04 Jul 2024
Ubuntu 22.04
latest/edge 104 12 Nov 2024
Ubuntu 22.04
juju deploy route53-lego-k8s --channel beta
Show information

Platform:

Getting Started

In this tutorial, we will use the Route53 LEGO K8s charm to obtain a certificates from Let’s Encrypt for a requiring charm using the TLS Certificates Requirer Operator as our TLS certificates requirer. This tutorial assumes that you have a Hosted Zone in AWS Route53.

1. Install pre-requisites

Install MicroK8s:

sudo snap install microk8s

Enable the hostpath-storage MicroK8s add-on:

microk8s enable hostpath-storage

Install Juju:

sudo snap install juju

2. Bootstrap a Juju controller

Bootstrap a Juju controller:

juju bootstrap microk8s

Create a Juju model:

juju add-model demo

3. Deploy Route53 LEGO K8s

Deploy the Route53 Lego K8s charm:

juju deploy route53-lego-k8s

Configure the charm with your ACME and AWS information:

juju config \
  server=https://acme-staging-v02.api.letsencrypt.org/directory \
  email=test@gmail.com \
  aws_region=<your AWS region> \
  aws_hosted_zone_id=<your AWS Hosted Zone ID> \
  aws_access_key_id=<your AWS Access Key ID> \
  aws_secret_access_key=<your AWS Secret Access Key>

Make sure to replace the AWS information with the appropriate one.

4. Deploy tls-certificates-requirer

Deploy TLS Certificates Requirer:

juju deploy tls-certificates-requirer --channel=edge

Configure the charm to use the same common name as in your AWS hosted zone:

juju config tls-certificates-requirer common_name=<your common name>

5. Integrate the two charms

Integrate the charms with their tls-certificates interface:

juju integrate route53-lego-k8s tls-certificates-requirer

Wait for both charms to be in the active/idle status. This can take a couple of minutes as the Route53 LEGO K8s charm makes its request to the ACME server. Once this is completed, you should see the following:

ubuntu@server:~$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.1.7    unsupported  10:25:05-05:00

App                        Version  Status   Scale  Charm                      Channel  Rev  Address        Exposed  Message
route53-lego-k8s                    waiting      1  route53-lego-k8s           stable     7  10.152.183.24  no       installing agent
tls-certificates-requirer           active       1  tls-certificates-requirer             0  10.152.183.33  no       Certificate is available

Unit                          Workload  Agent  Address      Ports  Message
route53-lego-k8s/0*           active    idle   10.1.182.53         
tls-certificates-requirer/0*  active    idle   10.1.182.57         Certificate is available

6. Retrieve the TLS Certificates

Use the TLS Certificates Requirer’s get-certificate action to retrieve the Let’s Encrypt certificate:

juju run tls-certificates-requirer/0 get-certificate

You should expect this output (with different certificates of course)

ubuntu@server:~$ juju run tls-certificates-requirer/0 get-certificate
Running operation 3 with 1 task
  - task 4 on unit-tls-certificates-requirer-0

Waiting for task 4...
ca-certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIFVDCCBDygAwIBAgIRAO1dW8lt+99NPs1qSY3Rs8cwDQYJKoZIhvcNAQELBQAw
  cTELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
  cml0eSBSZXNlYXJjaCBHcm91cDEtMCsGA1UEAxMkKFNUQUdJTkcpIERvY3RvcmVk
  IER1cmlhbiBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQw
  M1owZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBT
  ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRl
  bmQgUGVhciBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdD
  Ta1QgGBWSYkyMhscZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPW
  nL++fgehT0FbRHZgjOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigk
  kmx8OiCO68a4QXg4wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZ
  GTIf/oRt2/c+dYmDoaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6V
  P19sTGy3yfqK5tPtTdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkL
  YC0Ft2cYUyHtkstOfRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2
  UPQFxmWFRQnFjaq6rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/
  2dBZKmJqxHkxCuOQFjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRM
  EeOXUYvbV4lqfCf8mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEm
  QWUOTWIoDQ5FOia/GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eV
  EGOIpn26bW5LKerumJxa/CFBaKi4bRvmdJRLAgMBAAGjgfEwge4wDgYDVR0PAQH/
  BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLXzZfL+sAqSH/s8ffNE
  oKxjJcMUMB8GA1UdIwQYMBaAFAhX2onHolN5DE/d4JCPdLriJ3NEMDgGCCsGAQUF
  BwEBBCwwKjAoBggrBgEFBQcwAoYcaHR0cDovL3N0Zy1kc3QzLmkubGVuY3Iub3Jn
  LzAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vc3RnLWRzdDMuYy5sZW5jci5vcmcv
  MCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEB
  CwUAA4IBAQB7tR8B0eIQSS6MhP5kuvGth+dN02DsIhr0yJtk2ehIcPIqSxRRmHGl
  4u2c3QlvEpeRDp2w7eQdRTlI/WnNhY4JOofpMf2zwABgBWtAu0VooQcZZTpQruig
  F/z6xYkBk3UHkjeqxzMN3d1EqGusxJoqgdTouZ5X5QTTIee9nQ3LEhWnRSXDx7Y0
  ttR1BGfcdqHopO4IBqAhbkKRjF5zj7OD8cG35omywUbZtOJnftiI0nFcRaxbXo0v
  oDfLD0S6+AC2R3tKpqjkNX6/91hrRFglUakyMcZU/xleqbv6+Lr3YD8PsBTub6lI
  oZ2lS38fL18Aon458fbc0BPHtenfhKj5
  -----END CERTIFICATE-----
certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIFLDCCBBSgAwIBAgISKwAxw9n9Zd/jc81/j0iyAVhFMA0GCSqGSIb3DQEBCwUA
  MFkxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlw
  dDEoMCYGA1UEAxMfKFNUQUdJTkcpIEFydGlmaWNpYWwgQXByaWNvdCBSMzAeFw0y
  NDAxMTcxNDI0NThaFw0yNDA0MTYxNDI0NTdaMCMxITAfBgNVBAMTGHBpenphLmNh
  bm9uaWNhbHRlbGNvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
  AKf527FKvKx32VFxZhz6eQPr7J5KUhLifbD0rJHpDwAvuKBjDBALqYMmQNYNjQO9
  r/cHqtt8+WWBLBB3l4+jeEgkFPJ4XW3pcdEeKVrlKbwyZzJ5DlXjRxAf3kigLApK
  7P/HGWUelSFpx0SYfcC0QwKmH1FEVxkehIcwQBjsz2Yq25/T8fqzRavsKWRCkxwr
  cfwuuMCJf392JeHWvQoeeLbv3rwd1r0gK6Qnwpf3XmsY+Hif5D0mvWzoeqAjbZ4q
  WEG5vEKLcQ3npSKq4iLlxk3V15Ggq1nOPrmAPgqqQKd6PgOD9uyrwnuv6ZQ3AvFy
  sDaRL86krLcnwfnz258ti1kCAwEAAaOCAiIwggIeMA4GA1UdDwEB/wQEAwIFoDAd
  BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
  HQ4EFgQUziLKzmQC8iK2XAbPPiHCix8KQCwwHwYDVR0jBBgwFoAU3nJ6SN8xw6ZQ
  35+FI99XN0tdLmUwXQYIKwYBBQUHAQEEUTBPMCUGCCsGAQUFBzABhhlodHRwOi8v
  c3RnLXIzLm8ubGVuY3Iub3JnMCYGCCsGAQUFBzAChhpodHRwOi8vc3RnLXIzLmku
  bGVuY3Iub3JnLzAjBgNVHREEHDAaghhwaXp6YS5jYW5vbmljYWx0ZWxjby5jb20w
  EwYDVR0gBAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgAo
  dhoYkCf77zzQ1hoBjXawUFcpx6dBG8y99gT0XUJhUwAAAY0YBotuAAAEAwBHMEUC
  IF0W5ERRXpAhi27UAd5mTp01uT5BBcP8Xyx61wCTySUcAiEAyfCwKizK2G8DU/3s
  WZkGDEHz3s3uZ3r+L5WZJcP5Yf8AdgCwzIPlpfl9a698CcwoSQSHKsfoixMsY1C3
  xv0m4WxsdwAAAY0YBotKAAAEAwBHMEUCIBAaKbSnKjO8kWbKHbsQwmBobmQ2yVeV
  J9pRGebVM9bDAiEA/iyGQRBZjGMY+zbg1gTuIBzJ9m2BL2UUOqRnbGWFyKEwDQYJ
  KoZIhvcNAQELBQADggEBAKZBaUVppLENs4IZc5yL//WfNJ9qneTKl4doEf+2wA4p
  bt4vGCVtTPb4S1+IEqA59SsFgk4nLTEJLlZQCB0Czcf+9FUbWp6jmlDVuue3jqok
  oecNFCVFGeFs+3PiWxKYraZDqZEYLs797bxvStIHH2+QDxXb0pqi9UNSq1hb1tx7
  2QzpCQ1TAQ1Gk/RVMh4RmGggywxMr/TneYOETNMslhWCLmuXU53le0u3CNmTKTkV
  9gnuiQD9HfDRan5CfzYSeZDm9XxjwB05z8J9RRazsVaSEwoBr0fLnJyEKNBceFfH
  eEObXNuFCdpw7lVLOxTxLSkeh7YGvlBp6HS9AjvyTlg=
  -----END CERTIFICATE-----
csr: |-
  -----BEGIN CERTIFICATE REQUEST-----
  MIIClzCCAX8CAQAwUjEhMB8GA1UEAwwYcGl6emEuY2Fub25pY2FsdGVsY28uY29t
  MS0wKwYDVQQtDCRiNTdmNmU2Ni1kNzRiLTQyOTUtODEzYS1jNGMwNTRmNzljZWMw
  ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn+duxSrysd9lRcWYc+nkD
  6+yeSlIS4n2w9KyR6Q8AL7igYwwQC6mDJkDWDY0Dva/3B6rbfPllgSwQd5ePo3hI
  JBTyeF1t6XHRHila5Sm8MmcyeQ5V40cQH95IoCwKSuz/xxllHpUhacdEmH3AtEMC
  ph9RRFcZHoSHMEAY7M9mKtuf0/H6s0Wr7ClkQpMcK3H8LrjAiX9/diXh1r0KHni2
  7968Hda9ICukJ8KX915rGPh4n+Q9Jr1s6HqgI22eKlhBubxCi3EN56UiquIi5cZN
  1deRoKtZzj65gD4KqkCnej4Dg/bsq8J7r+mUNwLxcrA2kS/OpKy3J8H589ufLYtZ
  AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAoRKeqvD50ZsJNR39cBs98POY1fFt
  AO1Ss0qpIwzHuZUUxqxspAMe+J/yCSw5SsBtyhUBdjnzJeYv9IAVCJQmToM7N7SL
  3bEQOnTMj+7aPr8K00g5tDfKsuyDOJydfmEgi0yZuMGOPAkIVFkG4dhDFqD8pc6y
  Sp78RUc2YTQbR0jrF0oCl8v4pMG199h3y7+nlqChMvYPEjw1y/9jxQmwWRwtfY51
  8kpE2qMFYTnfvTCkLTCGmXEvfvyu6+IdncoafDrQ/bRompcl2RdYqMTYxTcqOCvs
  2tlJVuVkj5NwruxyYedJgHwtSwpuss6aS/pA7jOU8d2c/qI3RgTfuQCrAA==
  -----END CERTIFICATE REQUEST-----

There you go, you have obtained certificates from Let’s Encrypt!

7. Destroy the environment

Kill the Juju controller:

juju kill-controller microk8s-localhost

Uninstall the Juju and MicroK8s snaps:

sudo snap remove microk8s juju --purge

Help improve this document in the forum (guidelines). Last updated 10 months ago.