Cloud Certificate Renewer

Automated HTTPS certificate renewal tool for cloud services, supporting CDN and Load Balancer products. Currently supports Alibaba Cloud, with architecture designed for multi-cloud extension.

Table of Contents

• Features
• Kubernetes Deployment
• Documentation
• Contributing

Features

• Automatic certificate renewal for cloud CDN services (currently supports Alibaba Cloud)
• Automatic certificate renewal for cloud Load Balancer services (currently supports Alibaba Cloud SLB)
• Certificate validation (domain matching, expiration checking)
• Support for wildcard domain certificates
• CLI support with arguments (--dry-run, --verbose, --version)
• Multiple authentication methods:
  • Access Key authentication
  • STS (Security Token Service) temporary credentials
  • IAM Role authentication
  • OIDC (RRSA) authentication for Kubernetes
  • Service Account authentication
  • Environment variable authentication
• Configuration via environment variables or Kubernetes Secrets
• Comprehensive error handling and logging
• Helm Chart deployment support
• Integration with cert-manager and Reloader
• Automated release workflow with multi-architecture Docker images, Helm Charts, and PyPI packages

Kubernetes Deployment

Prerequisites

Required:

• Kubernetes cluster

Recommended:

• cert-manager (for automatic certificate acquisition and renewal)
• Reloader (for monitoring certificate Secret changes and automatically triggering Deployment redeployment)

Deployment

# 1. Create Secret (using generic naming, recommended)
kubectl create secret generic cloud-credentials \
  --from-literal=access-key-id=YOUR_KEY \
  --from-literal=access-key-secret=YOUR_SECRET

# Or use legacy naming (backward compatible)
# kubectl create secret generic alibaba-cloud-credentials \
#   --from-literal=access-key-id=YOUR_KEY \
#   --from-literal=access-key-secret=YOUR_SECRET

# 2. Deploy using Helm
helm install cloud-cert-renewer ./helm/cloud-cert-renewer \
  --set serviceType=cdn \
  --set cdn.domainName=your-domain.com

For detailed deployment instructions and troubleshooting, see:

• Helm Chart README
• TROUBLESHOOTING.md

How It Works

1. cert-manager automatically acquires/updates Let's Encrypt certificates and updates the cert-secret Secret
2. Reloader detects Secret changes and triggers Deployment redeployment
3. Init container starts, reads certificate from Secret, and calls cloud service API to update certificate
4. Init container exits after completion
5. Main container (placeholder) keeps running to ensure Deployment status is normal

Development

For development and testing, see DEVELOPMENT.md for detailed setup instructions.

CLI Installation

Using pip (PyPI)

You can install the tool directly from PyPI:

pip install cloud-cert-renewer

After installation, you can run the tool using the cloud-cert-renewer command:

# View help
cloud-cert-renewer --help

# Run in dry-run mode
cloud-cert-renewer --dry-run --verbose

# Run with environment variables
export SERVICE_TYPE=cdn
export CLOUD_ACCESS_KEY_ID=your_key
...
cloud-cert-renewer

Documentation

• CONTRIBUTING.md: Guidelines for contributing to the project
• DEVELOPMENT.md: Detailed development guide (code formatting, linting, testing, building)
• TROUBLESHOOTING.md: Common issues and debugging tips
• Helm Chart README: Detailed Kubernetes deployment guide
• testing-design-principles.mdc: Testing design and implementation principles

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines, including the language policy.

License

This project is licensed under the MIT License - see the LICENSE file for details.