Uses certbot to obtain an X.509 certificate from Let's encrypt and stores it as secret in Kubernetes.
Create a service:
# kubernetes-certbot-svc.yml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-certbot
spec:
selector:
name: kubernetes-certbot
ports:
- name: http
port: 80Create a replication controller:
# kubernetes-certbot-rc.yml
apiVersion: v1
kind: ReplicationController
metadata:
name: kubernetes-certbot
spec:
replicas: 1
template:
metadata:
labels:
name: kubernetes-certbot
spec:
containers:
- name: kubernetes-certbot
image: choffmeister/kubernetes-certbot:latest
imagePullPolicy: Always
env:
- name: SECRET_NAMESPACE
value: default
- name: SECRET_NAME_PREFIX
value: foobar
volumeMounts:
- mountPath: /etc/letsencrypt
name: letsencrypt-data
volumes:
- name: letsencrypt-data
emptyDir: {}Configure your front gateway (in this example nginx) to forward all incoming traffic for certbot to the service
you just created (this assumes, you have kube-dns running, so that nginx is able to resolve the host
kubernetes-certbot):
# nginx.conf
server {
listen 80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
proxy_pass http://kubernetes-certbot;
}
}
Then, whenever you need a certificate, find out the name of the pod (let it be ${LETSENCRYPT_POD} here) and execute:
kubectl exec -it ${LETSENCRYPT_POD} -- bash ./run.sh "secret-name" "mail@mydomain.com" "mydomain.com,www.mydomain.com" "namespace"This will create a secret foobar-secret-name in the namespace default containing four entries for the individual
.pem files genereted by certbot.
If you need a certificate for ingress, run:
kubectl exec -it ${LETSENCRYPT_POD} -- bash ./run_ingress.sh "secret-name" "mail@mydomain.com" "mydomain.com,www.mydomain.com" "namespace"