An Introduction to Kube-Lego
Transcript of An Introduction to Kube-Lego
Kube-LegoAutomated certificate provisioning for Kubernetes using ACME
https://github.com/jetstack/kube-lego@JetstackHQ
Image: (CC BY-SA 4.0) Arto Alanenpää
● ACME Protocol
● Ingress Resources & Controllers
● Kube-Lego Flow
● Demo
● Kube-Lego Roadmap
Agenda
@ DNS admins in the audience, please point any hostname via a CNAME record to:
kube-lego.jetstack.ioand tweet the hostname @jetstackhq
Demo Preparation
ACME / Let’s Encrypt Protocol
● Well defined Protocol for interacting with a CA● Supports different challenges
○ HTTP○ DNS○ TLS-SNI○ Proof of possession of a prior key
● User account ● Maximum certificate lifetime 90 days
Automated Certificate Management Environment
Ingress-ControllerResource
spec: rules: - host: foo.bar.com http: paths: - backend: serviceName: s1 servicePort: 80 - host: bar.foo.com http: paths: - backend: serviceName: s2 servicePort: 80
● More advanced than services
● Not implemented in tree
● L4 - L7
Ingress-ControllerNginx
● Runs inside your cluster● Exposed through services (typically type=LoadBalancer)● Listens to changes of Ingress resources via K8S-API
=> writes out nginx.conf and reloads nginx● Custom configuration easily possible
○ Basic Auth○ HSTS○ LDAP Auth
Ingress-ControllerGoogle Cloud Engine Load Balancers
● L7 Load Balancing as a service
● Depending on features of GCE Forwarding Rules
● Ingress controller watches changes in K8S API and configures
GCE accordingly
● One ingress object equals one Load Balancer in K8S
● Servics need to be of type=NodePort
Ingress-ControllerUse different Ingress controllers
● Selection of the right controller using annotation:kubernetes.io/ingress.class: "nginx"kubernetes.io/ingress.class: "gce"
● Same ingress configuration is handled differently on GCE vs.
NGINX
○ Paths / vs. /*
○ Order of backends
○ Aggregation of multiple resources vs. isolated instances
Future Work / RoadmapKube-Lego roadmap
● Better failure handling (marking requests as permanent failed)
● Specify namespaces to watch
● Configure key length and algorithm
● Support TLS-SNI challenge
● Revoke certificates after they have been replaced
Further Information
github.com/jetstack/kube-lego
@JetstackHQ
Christian Simon