Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for K8S Ingress resources #3

Open
kop opened this issue Apr 29, 2016 · 7 comments
Open

Add support for K8S Ingress resources #3

kop opened this issue Apr 29, 2016 · 7 comments
Labels
enhancement

Comments

@kop
Copy link

kop commented Apr 29, 2016

Since Kubernetes release 1.2.0, Ingress resources are supporting TLS. It would be great if this image would be compatible with Ingress.

What needs to be done is to change secret data format to:

"data": {
   "tls.crt": "$CERT",
   "tls.key": "$KEY",
   "dhparam": "$DHPARAM"
 }

And response with 200 HTTP code when root URI (/) is requested (for health checks).

P.S. I will be happy to prepare a PR later today.
@alexcouper
Copy link
Member

alexcouper commented Apr 29, 2016 via email

@kop
Copy link
Author

kop commented Apr 29, 2016
edited
Loading

@alexcouper Something tells me that it depends on implementation. There are different types of ingress controllers available: GCE, Nginx.

I think config reloading on certificate change should be part of their job and not this package.

Alternatively, we could create new secret (in format $SECRET_NAME_<timestamp>) when certs are updated and simply patch Ingress resource with a new value. Old secrets should not be a problem, since K8S 1.3 will come with garbage collector of unused Secrets and ConfigMaps.

@alexcouper
Copy link
Member

true that would work.

The other thing that had concerned me was not knowing how to route through to letsencrypt pod for some requests (like is done in nginx-ssl-proxy) - but I see now that this is entirely possible using the nginx ingress controller

So in summary, go for it, looking forward to seeing the PR!

@devth
Copy link
Contributor

devth commented Jun 1, 2016

👍 this would be awesome!

@phutchins
Copy link

I've was planning on building something quite similar to this so I used this is a starting point.
Here's what I added/changed...

  • Made the changes to get it working with multiple domains and Ingress.
  • Added a health check on / so that it returns 200 OK.
  • Updated the kubectl version to be in line with docker best practice and make updating easier.
  • I made the secret unique per domain and made it customizable

I'd be glad to contribute back some of what I've done if interested...

My plans are to make this more dynamic such that on a service that you want to have SSL, simply add a label and it will dynamically get picked up and handled.

https://github.com/phutchins/kubernetes-ssl-manager

@alexcouper
Copy link
Member

@phutchins sounds fantastic. Please do contribute back and I'll happily test and merge.

@txels
Copy link
Member

txels commented Oct 13, 2016
edited
Loading

Part of this has been done in #13 (including the new data keys in the secret)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@devth @kop @alexcouper @txels @phutchins