kube-lego automatically requests certificates for Kubernetes Ingress resources from Let’s Encrypt. This chart bootstraps a kube-lego deployment on a Kubernetes cluster using the Helm package manager. kube-lego is in maintenance mode only. There is no plan to support any new features. The latest Kubernetes release that kube-lego officially supports is 1.8. The officially endorsed successor is cert-manager.
- Kubernetes 1.2+
- Compatible ingress controller (nginx or GCE see here)
- Non-production use case
Recognizes the need of a new certificate for this cases:
- No certificate existing
- The existing certificate is not containing all domain names
- The existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
- The existing certificate is unparseable, invalid or not matching the secret key
- Creates a user account (incl. private key) for Let’s Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
- Obtains the missing certificates from Let’s Encrypt and authorizes the request with the HTTP-01 challenge
- Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
- Official Kubernetes Helm chart for simplistic deployment.
The default value of LEGO_URL is the Let’s Encrypt staging environment. If you want to get “real” certificates you have to configure their production env.
- The secretName statements have to be unique per namespace
- secretName is required (even if no secret exists with that name, as it will be created by kube-lego)
- Setups which utilize 1:1 NAT need to ensure internal resources can reach gateway controlled public addresses.
- Additionally, your domain must point to your externally available Load Balancer (either directly or via 1:1 NAT)
Nginx Ingress Controller
- available through image gcr.io/google_containers/nginx-ingress-controller
- fully supports kube-lego from version 0.8 onwards
- you don’t have to maintain the ingress controller yourself, you pay GCE to do that for you
- every ingress resource creates one GCE load balancer
- all service that you want to expose, have to be Type=NodePort