Public Repository

Last pushed: a year ago
Short Description
Obtain and install Let's Encrypt certificates for Kubernetes Ingresses
Full Description

NOTE: This container is designed to be run as a Job inside Kubernetes. The entrypoint of this container makes calls to the Kubernetes API using ServiceAccount credentials and will NOT work outside Kubernetes.

Enviroment Variables

  • DOMAINS - comma seperated list of domains to secure (passed as -d option to certbot)
  • EMAIL - administrative email contact (passed as --email option to certbot)
  • SECRET - name of the Kubernetes Secret that contains the tls.key and tls.crt keys for the Ingress secret. Running this container will update the secret with a new key and cert.
  • DEPLOYMENT - name of the Kubernetes Deployment that runs the Ingress. This container will update that deployment with an annotation noting the date of the last update, causing a reployment and refreshing of the TLS secrets

Example usage is below.

Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx
spec:
  tls:
  - hosts:
    - www.example.com
    secretName: nginx
  rules:
  - host: www.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: wordpress
          servicePort: 80
      - path: /.well-known
        backend:
          serviceName: letsencrypt
          servicePort: 80

Ingress Deployment

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy:
    type: Recreate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - image: nginxdemos/nginx-ingress:0.3
        imagePullPolicy: Always
        name: nginx
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443

Job

apiVersion: batch/v1
kind: Job
metadata:
  name: letsencrypt
  labels:
    app: letsencrypt
spec:
  template:
    metadata:
      name: letsencrypt
      labels:
        app: letsencrypt
    spec:
      containers:
      - image: sjenning/kube-nginx-letsencrypt:0.8.1-1
        name: letsencrypt
        imagePullPolicy: Always
        ports:
        - name: letsencrypt
          containerPort: 80
        env:
        - name: DOMAINS
          value: example.com,www.example.com
        - name: EMAIL
          value: admin@example.com
        - name: SECRET
          value: nginx
        - name: DEPLOYMENT
          value: nginx
      restartPolicy: Never
Docker Pull Command
Owner
sjenning

Comments (0)