kube-lego automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt.
ref:
https://github.com/jetstack/kube-lego
https://letsencrypt.org/
I run kube-lego v0.1.5 with Kubernetes v1.9.4, everything works very fine.
Deploy kube-lego
It is strongly recommended to try Let's Encrypt Staging API first.
# kube-lego/deployment.yaml
kind: Namespace
apiVersion: v1
metadata:
name: kube-lego
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-lego
namespace: kube-lego
data:
LEGO.EMAIL: "[email protected]"
# LEGO.URL: "https://acme-v01.api.letsencrypt.org/directory"
LEGO.URL: "https://acme-staging.api.letsencrypt.org/directory"
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: kube-lego
namespace: kube-lego
spec:
replicas: 1
selector:
matchLabels:
app: kube-lego
template:
metadata:
labels:
app: kube-lego
spec:
containers:
- name: kube-lego
image: jetstack/kube-lego:0.1.5
ports:
- containerPort: 8080
env:
- name: LEGO_LOG_LEVEL
value: debug
- name: LEGO_EMAIL
valueFrom:
configMapKeyRef:
name: kube-lego
key: LEGO.EMAIL
- name: LEGO_URL
valueFrom:
configMapKeyRef:
name: kube-lego
key: LEGO.URL
- name: LEGO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LEGO_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1ref:
https://github.com/jetstack/kube-lego/tree/master/examples
$ kubectl apply -f kube-lego/ -RConfigure the Ingress
- Add an annotation
kubernetes.io/tls-acme: "true"tometadata.annotations - Add domains to
spec.tls.hosts.
spec.tls.secretName is the Secret used to store the certificate received from Let's Encrypt, i.e., tls.key and tls.crt. If no Secret exists with that name, it will be created by kube-lego.
# ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: simple-project
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/tls-acme: "true"
spec:
tls:
- secretName: kittenphile-com-tls
hosts:
- kittenphile.com
- www.kittenphile.com
- api.kittenphile.com
rules:
- host: kittenphile.com
http:
paths:
- path: /*
backend:
serviceName: simple-frontend
servicePort: http
- host: www.kittenphile.com
http:
paths:
- path: /*
backend:
serviceName: simple-frontend
servicePort: http
- host: api.kittenphile.com
http:
paths:
- path: /*
backend:
serviceName: simple-api
servicePort: httpref:
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
$ kubectl apply -f ingress.yamlYou could find exact ACME challenge paths by inspecting your Ingress resource.
$ kubectl describe ing simple-project
...
TLS:
kittenphile-com-tls terminates kittenphile.com,www.kittenphile.com,api.kittenphile.com
Rules:
Host Path Backends
---- ---- --------
kittenphile.com
/.well-known/acme-challenge/* kube-lego-gce:8080 (<none>)
/* simple-frontend:http (<none>)
www.kittenphile.com
/.well-known/acme-challenge/* kube-lego-gce:8080 (<none>)
/* simple-frontend:http (<none>)
api.kittenphile.com
/.well-known/acme-challenge/* kube-lego-gce:8080 (<none>)
/* simple-api:http (<none>)
...You might want to see logs of kube-lego Pods for observing the progress.
$ kubectl logs -f deploy/kube-lego --namespace kube-legoCreate a Production Certificate
After you make sure everything works ok, you are able to request production certificates for your domains.
Follow these instructions:
- Change
LEGO_URLtohttps://acme-v01.api.letsencrypt.org/directory - Delete account secret
kube-lego-account - Delete certificate secret
kittenphile-com-tls - Restart
kube-lego
$ kubectl get secrets --all-namespaces
$ kubectl delete secret kube-lego-account --namespace kube-lego && \
kubectl delete secret kittenphile-com-tls
$ kubectl replace --force -f kube-lego/ -R
$ kubectl logs -f deploy/kube-lego --namespace kube-legoref:
https://github.com/jetstack/kube-lego#switching-from-staging-to-production