Name: kube-lego
Owner: CoreOS
Description: Kube-Lego automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt
Forked from: jetstack/kube-lego
Created: 2016-11-02 23:13:56.0
Updated: 2018-04-13 18:07:41.0
Pushed: 2016-11-03 05:06:58.0
Homepage: null
Size: 40277
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
kube-lego automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt
LEGO_MINIMUM_VALIDITY
)LEGO_SECRET_NAME
)HTTP-01
challengeHTTP-01
challenge to succeedLEGO_EMAIL
with your mail addressLEGO_POD_IP
with the pod IP address using the downward APILEGO_URL
is the Let's Encrypt staging environment. If you want to get “real” certificates you have to configure their production env.As soon as the kube-lego daemon is running, it will look for ingress resources that have this annotations:
data:
notations:
kubernetes.io/tls-acme: "true"
Every ingress resource that has this annotations will be monitored by kube-lego (cluster-wide in all namespaces). The only part that is watched is the list spec.tls
. Every element will get their own certificate through Let's encrypt.
Let's take a look at this ingress resource:
:
s:
secretName: mysql-tls
hosts:
- phpmyadmin.example.com
- mysql.example.com
secretName: postgres-tls
hosts:
- postgres.example.com
kube-lego will obtain two certificates (one with phpmyadmin.example.com and mysql.example.com, the other with postgers.example.com). Please note:
secretName
statements have to be unique per namespacesecretName
is required (even if no secret exists with that name, as it will be created by kube-lego)gcr.io/google_containers/nginx-ingress-controller
Type=NodePort
| Name | Required | Default | Description |
|——|———-|———|————-|
| LEGO_EMAIL
| y | -
| E-Mail address for the ACME account, used to recover from lost secrets |
| LEGO_POD_IP
| y | -
| Pod IP address (use the downward API)|
| LEGO_NAMESPACE
| n | default
| Namespace where kube-lego is running in |
| LEGO_URL
| n | https://acme-staging.api.letsencrypt.org/directory
| URL for the ACME server. To get “real” certificates set to the production API of Let's Encrypt: https://acme-v01.api.letsencrypt.org/directory
|
| LEGO_SECRET_NAME
| n | kube-lego-account
| Name of the secret in the same namespace that contains ACME account secret |
| LEGO_SERVICE_NAME_NGINX
| n | kube-lego-nginx
| Service name for NGINX ingress |
| LEGO_SERVICE_NAME_GCE
| n | kube-lego-gce
| Service name for GCE ingress |
| LEGO_INGRESS_NAME_NGINX
| n | kube-lego-nginx
| Ingress name which contains the routing for HTTP verification for nginx ingress |
| LEGO_PORT
| n | 8080
| Port where this daemon is listening for verifcation calls (HTTP method)|
| LEGO_CHECK_INTERVAL
| n | 8h
| Interval for periodically certificate checks (to find expired certs)|
| LEGO_MINIMUM_VALIDITY
| n | 720h
(30 days) | Request a renewal when the remaining certificate validitiy falls below that value|
| LEGO_DEFAULT_INGRESS_CLASS
| n | nginx
| Default ingress class for resources without specification|
| LEGO_KUBE_API_URL
| n | http://127.0.0.1:8080
| API server URL |
| LEGO_LOG_LEVEL
| n | info
| Set log level (debug|info|warn|error
) |
Christian Simon for Jetstack Ltd