kube-lego automatically requests certificates for Kubernetes Ingress resources from Let’s Encrypt. This chart bootstraps a kube-lego deployment on a Kubernetes cluster using the Helm package manager. kube-lego is in maintenance mode only. There is no plan to support any new features. The latest Kubernetes release that kube-lego officially supports is 1.8. The officially endorsed successor is cert-manager.


  • Kubernetes 1.2+
  • Compatible ingress controller (nginx or GCE see here)
  • Non-production use case


Recognizes the need of a new certificate for this cases:

  • No certificate existing
  • The existing certificate is not containing all domain names
  • The existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
  • The existing certificate is unparseable, invalid or not matching the secret key
  • Creates a user account (incl. private key) for Let’s Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
  • Obtains the missing certificates from Let’s Encrypt and authorizes the request with the HTTP-01 challenge
  • Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
  • Official Kubernetes Helm chart for simplistic deployment.

Run kube-lego

  • GCE
  • nginx controller

The default value of LEGO_URL is the Let’s Encrypt staging environment. If you want to get “real” certificates you have to configure their production env.

Please note:

  • The secretName statements have to be unique per namespace
  • secretName is required (even if no secret exists with that name, as it will be created by kube-lego)
  • Setups which utilize 1:1 NAT need to ensure internal resources can reach gateway controlled public addresses.
  • Additionally, your domain must point to your externally available Load Balancer (either directly or via 1:1 NAT)

Ingress controllers

Nginx Ingress Controller

  • available through image gcr.io/google_containers/nginx-ingress-controller
  • fully supports kube-lego from version 0.8 onwards

GCE Loadbalancers

  • you don’t have to maintain the ingress controller yourself, you pay GCE to do that for you
  • every ingress resource creates one GCE load balancer
  • all service that you want to expose, have to be Type=NodePort

Tell us about a new Kubernetes application


Never miss a thing! Sign up for our newsletter to stay updated.


Discover and learn about everything Kubernetes