Nginx-lego
This chart bootstraps a nginx-lego deployment on a Kubernetes cluster using the Helm package manager. It is container,…
- Security
- 5.2K
This chart bootstraps a nginx-lego deployment on a Kubernetes cluster using the Helm package manager. It is container,…
This chart bootstraps an nginx-lego deployment on a Kubernetes cluster using the Helm package manager. It is container, which provides nginx based https/ssl proxy. It uses https://letsencrypt.org/ and https://github.com/xenolf/lego to automatically obtain and renew certificates.
It is mainly intended for use with internal (not publicly accessible) services, such as internal Docker registries, so it uses DNS challenge and API enabled DNS servers.
nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 25.03% busiest sites in August 2018. Here are some of the success stories: Dropbox, Netflix, WordPress.com, FastMail.FM.
The sources and documentation are distributed under the 2-clause BSD-like license.
Kubernetes Ingress Objects are used to manage HTTP(S) access from the internet to inside the Kubernetes cluster. Among other things, it lets us do the following:
We run on Google Cloud’s Kubernetes Engine. Even though GKE comes pre-installed with the Google Cloud Load Balancer Ingress provider, we decided to use nginx instead for the following reasons:
Ingress objects are used to tell the ingress controllers which requests should be routed to which Service objects. Usually, the rules either check for a hostname (like mybinder.org or prometheus.mybinder.org) and/or a URL prefix (like /metrics or /docs). You can see all the ingress objects present with kubectl –namespace=prod get ingress.
The following ingress objects currently exist:
kube-lego-nginx – Used by kube-lego for doing automatic HTTPS certificate renewals.
Register with CA
Obtain certificates, both from scratch or with an existing CSR
Renew certificates
Revoke certificates
Robust implementation of all ACME challenges
Please keep in mind that CLI switches and APIs are still subject to change.
When using the standard –path option, all certificates and account configurations are saved to a folder .lego in the current working directory.
Tell us about a new Kubernetes application
Never miss a thing! Sign up for our newsletter to stay updated.
Discover and learn about everything Kubernetes