What if you can configure your infrastucture with a process that requests your SSL Certificates automatic. Not only this, but this process registeres the certificates in your infrastructure also. There is more. The process also requests new versions of certificates every 30 days so the certificate will not expire. All of this, complely automated. It’s even completely free! You or your traditional ops department won’t believe this is possible.
Enter the new world of infrastructure: Kube-Lego, ofcourse hosted on Kubernetes.
Now I hear you think: “This is to good to be true. It must be hard to configure”. The configuration is really easy actually, as you will see in this blogpost.
The Open source tool Kube-Lego uses service Let’s Encrypt to acquire SSL Certificates.
With Let’s Encrypt you can get SSL/TLS certificates for free. Let’s Encrypt wants a more secure internet and they offer this service with automation in mind. Kube-Lego makes this possible in practice for Kubernetes. Let’s Encrypt will even support wildcard certificates from January 2018.
To install Kube-Lego we are going to deploy 2 resources in Kubernetes. A ConfigMap and a Pod. Besides this we are going to add some configuration to our Ingress.
Steps to install and configure Kube-Lego
- you should have Ingress configured on your Kubernetes cluster. You can read how to do this in my blogpost for a step by step manual.
- you also need to have a DNS entry configured so the public IP Address of the Ingress Service can be accessed on a URL. Otherwise the certificate won’t be succesfully requested.
1. Install a ConfigMap
Change the emailaddress. It’s being used to create an account on Let’s Encrypt. I’ve chosen to install Kube-Lego in the kube-system namespace.
apiVersion: v1 kind: ConfigMap metadata: name: kube-lego namespace: kube-system data: # modify this to specify your address lego.email: "email@example.com" # configure letsencrypt's production api lego.url: "https://acme-v01.api.letsencrypt.org/directory"
Kubectl apply -f KubeLegoConfigMap.yaml
2. Install Kube-Lego Pod
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: kube-lego namespace: kube-system spec: replicas: 1 template: metadata: labels: app: kube-lego spec: containers: - name: kube-lego image: jetstack/kube-lego:0.1.5 imagePullPolicy: Always ports: - containerPort: 8080 env: - name: LEGO_EMAIL valueFrom: configMapKeyRef: name: kube-lego key: lego.email - name: LEGO_URL valueFrom: configMapKeyRef: name: kube-lego key: lego.url - name: LEGO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LEGO_POD_IP valueFrom: fieldRef: fieldPath: status.podIP readinessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 5 timeoutSeconds: 1
kubectl apply -f KubeLego.yaml
3. Change the Ingress
Based on the Ingress from my blogpost on how to configure Ingress, you have to add the following:
– Add the following annotation:
– Add tls configuration:
spec: tls: - hosts: - mymicroservices.xpirit.nl secretName: tls-kubelego
The complete Ingress, looks like this:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: myingress annotations: kubernetes.io/tls-acme: "true" kubernetes.io/ingress.class: nginx ingress.kubernetes.io/rewrite-target: / spec: tls: - hosts: - mymicroservices.xpirit.nl secretName: tls-kubelego rules: - host: mymicroservices.xpirit.nl http: paths: - path: /mywebapi backend: serviceName: myapiservice servicePort: 80
kubectl apply -f DeployIngress.yaml
Wait a short time after deployment, so Kube-Lego can create an account at Let’s Encrypt for you and after that can request, download and register the certificate in a secret. When you have multiple host names in your Ingress, Kube-Lego will request a certificate for each of them.
Now you can access your services through https.
In case of problems:
You can take a look at the logs of Kube-Lego:
1. Get the name of the Pod which is running Kube-Lego:
kubectl get pods -n kube-system
2. Take a look at the log:
kubectl logs -f “kubelegopodname” -n kube-system
All files can be found on my github account