Skip to content

Sixt/acm-secret-discovery-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github
.github
 
 
config
config
 
 
examples
examples
 
 
manager
manager
 
 
provisioners
provisioners
 
 
sds
sds
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
metadata.yaml
metadata.yaml
 
 
tools.go
tools.go
 
 

Repository files navigation

ACM Secret Discovery Server

ACM Secret Discovery Server is an Envoy SDS interface server that provides TLS certificates to Envoy proxy using AWS Certificate Manager (ACM).

It provides certificates for plain and mutual TLS (mTLS).

Intro

The Service designed to run as a sidecar in an Envoy proxy Kubernetes Pod. Allowing to dynamically configure TLS and optionally mTLS for downstream connections. Communication with Envoy is via gRPC over Unix Domain Socket(UDS) and implements only State of the World(SotW) xDS protocol.

Public TLS certificates are obtained from AWS Certificate Manager (ACM) using the exportable certificates feature.

An optional CA can be provided for the mTLS validation context. It is loaded as-is from an environment variable.

Usage

Configuration is through environment variables. AWS credentials are obtained using standard SDK means, e.g. pod identity, instance profile, environment variables, or others.

  • CERTIFICATE_ARN - required
  • CA_CERT - optional - CA certificate in PEM format for mTLS - not the file path.
  • ROTATION_PERIOD - optional - duration string - how often to refresh the certificates - default 24h

Motivation

We've created this service to simplify TLS and mTLS configuration for Envoy proxies running in Kubernetes.

Especially mTLS is a security requirement, that can't be offloaded to AWS NLBs at the time of writing. So TLS termination had to be moved into Envoy. AWS ACM is a great service for certificate management and we can offload the complexity of handling certificate issuance and renewal - even more so with the recently launch of exportable public certificates.

This service is now a corner stone for our gRPC based workloads. It provides secure communication between our CDN and the backend services.

Internals

Names for secrets are hardcoded at the moment. Certificate chain and private key can be obtained by requesting certificate secret. And CA certificate can be obtained by requesting ca_certificate secret.

The certificate is refreshed periodically, based on the ROTATION_PERIOD environment variable. ACM exportable certificates are valid for 13 months and for simplicity, there is no cache, watch or hash comparison in this service. Every tick will export the certificate again from ACM and return it to Envoy.

Costs

AWS ACM exportable public certificates incur charges on issuance, renewal and export. Please see the pricing page for details.

See also

Copyright

Provided without warranty of any kind. Licensed under Apache License 2.0 - see LICENSE for details.

Created by and © Sixt SE - https://www.sixt.com

Sixt logo

About

Envoy SDS server with AWS ACM backing

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

8 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Aug 30, 2025

Packages

 
 
 

Contributors 2

  •  
  •  

Languages