kube-lego

kube-lego automatically requests certificates for Kubernetes Ingress resources from Let’s Encrypt. This chart bootstraps a kube-lego deployment on a Kubernetes cluster using the Helm package manager. kube-lego is in maintenance mode only. There is no plan to support any new features. The latest Kubernetes release that kube-lego officially supports is 1.8. The officially endorsed successor is cert-manager.

Requirements

• Kubernetes 1.2+
• Compatible ingress controller (nginx or GCE see here)
• Non-production use case

Features

Recognizes the need of a new certificate for this cases:

• No certificate existing
• The existing certificate is not containing all domain names
• The existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
• The existing certificate is unparseable, invalid or not matching the secret key
• Creates a user account (incl. private key) for Let’s Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
• Obtains the missing certificates from Let’s Encrypt and authorizes the request with the HTTP-01 challenge
• Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
• Official Kubernetes Helm chart for simplistic deployment.

Run kube-lego

• GCE
• nginx controller

The default value of LEGO_URL is the Let’s Encrypt staging environment. If you want to get “real” certificates you have to configure their production env.

Please note:

• The secretName statements have to be unique per namespace
• secretName is required (even if no secret exists with that name, as it will be created by kube-lego)
• Setups which utilize 1:1 NAT need to ensure internal resources can reach gateway controlled public addresses.
• Additionally, your domain must point to your externally available Load Balancer (either directly or via 1:1 NAT)

Ingress controllers

Nginx Ingress Controller

• available through image gcr.io/google_containers/nginx-ingress-controller
• fully supports kube-lego from version 0.8 onwards

GCE Loadbalancers

• you don’t have to maintain the ingress controller yourself, you pay GCE to do that for you
• every ingress resource creates one GCE load balancer
• all service that you want to expose, have to be Type=NodePort