Kube-Lego is an open source tool that automates certificate provisioning for Kubernetes using the ACME protocol and Let's Encrypt. It uses ingress resources and controllers to request and renew SSL/TLS certificates and configure services with HTTPS. Kube-Lego monitors ingress resources for changes and requests certificates from an ACME server by completing challenges, then deploys the certificates to ingress controllers like Nginx to secure services. Future work may include improved failure handling, configuring certificate options, and supporting additional ACME challenges.
3. @ DNS admins in the audience, please point any hostname via
a CNAME record to:
kube-lego.jetstack.io
and tweet the hostname @jetstackhq
Demo Preparation
4. ACME / Let’s Encrypt Protocol
● Well defined Protocol for interacting with a CA
● Supports different challenges
○ HTTP
○ DNS
○ TLS-SNI
○ Proof of possession of a prior key
● User account
● Maximum certificate lifetime 90 days
Automated Certificate Management Environment
8. Ingress-Controller
Google Cloud Engine Load Balancers
● L7 Load Balancing as a service
● Depending on features of GCE Forwarding Rules
● Ingress controller watches changes in K8S API and configures
GCE accordingly
● One ingress object equals one Load Balancer in K8S
● Servics need to be of type=NodePort
9. Ingress-Controller
Use different Ingress controllers
● Selection of the right controller using
annotation:
kubernetes.io/ingress.class:
"nginx"
kubernetes.io/ingress.class: "gce"
● Same ingress configuration is handled differently on GCE vs.
NGINX
○ Paths / vs. /*
○ Order of backends
○ Aggregation of multiple resources vs. isolated instances
19. Future Work / Roadmap
Kube-Lego roadmap
● Better failure handling (marking requests as permanent failed)
● Specify namespaces to watch
● Configure key length and algorithm
● Support TLS-SNI challenge
● Revoke certificates after they have been replaced