Simplify Lets Encrypt Certificates Management for Kubernetes
github.comI've been using this project on GKE for ~2 weeks now in combination with the nginx ingress controller. I have it configured to use the DNS challenge to get new certs so I don't have to expose an extra port as well.
It feels liberating to just get an SSL cert for any subdomain I need and have the whole process abstracted from me.
Sicne a few days ago, ingress objects are now supported directly with the correct annotations. See https://github.com/PalmStoneGames/kube-cert-manager/blob/mas...
I thought I wanted this for a long time, but `kube-lego` gets me very similar results... without needing to inject credentials for my DNS provider to my cluster.
I'm curious if others have thoughts on this vs kube-lego. (I would agree that I like the approach of this project quite a bit more than kelseyhightower's. This feels more complete, works with far more providers, etc)
You can use http challenges with kcm as well. Which is what ensures you don't need to inject dns credentials.
Whoa! This is really great! Thank you for this (and to think I was excited to see the Caddy secret backend, this is way better IMO)!
edit: Oh my, and I can use this for the HTTP challenge and still use it with other Ingress controllers. I'd love to buy you a beer/rootbeer or something, I'm so tickled to have this!
If you're ever in stockholm, prod me on twitter and we can have a rootbeer :)
Big kudos to Luna for fusing both of these awesome projects - this was actually on our backlog too and helped a lot!
Found this similar project a couple days ago: https://github.com/tazjin/kubernetes-letsencrypt
Doesn't seem quite as configurable but looks a bit simpler to implement.
Please file an issue if you're missing some configuration option! I explicitly don't intend to support other challenge mechanisms than DNS though.
I'm curious what advantages and tradeoffs it has over the project that it is based upon [1] for a person choosing between them.
Largely, https://github.com/kelseyhightower/kube-cert-manager is incomplete
* it does not support subdomains (only root domains)
* it only supports googlecloud as dns provider
* Bugs and PRs remain unanswered/unmerged
Meanwhile the linked project supports http, SNI and DNS challenges, with around 20 or so DNS providers available. It also supports managing certs for ingress objects directly.
Does it support multiple SANs on a single cert? I want to streamline things like vanity domain redirections, where every domain I add requires me to refresh the cert.
Unfortunately, not currently, no :< It's trivial to get seperate certs, but getting them all on a single cert is not in yet.
I haven't used this yet but will say that lego (which this uses) is a joy to use.
What are the major difference between this and say kube-lego that might entice someone to switch?
You can manage individual certs with cert objects that aren't used by ingresses.
Very cool, thank you!