[WIP] acme: initial commit #1483
Conversation
config.tf
Outdated
| // } | ||
|
|
||
| variable "tectonic_acme_email_address" { | ||
| default = "Your email address to be used for the ACME registration." |
There was a problem hiding this comment.
this should not be the description instead of default?
and default = ""
There was a problem hiding this comment.
Haha, a good catch ;-D
s-urbaniak
force-pushed
the
acme
branch
2 times, most recently
from
20af123 to
5cf9568
Compare
|
Hey @s-urbaniak Take a look at https://gist.github.com/coresolve/36027a1a891ce9590a5cdabc8de9c15a This leverages kube-lego inside the cluster to provide certificated and could easily be extended to support the ingress certificate for the cluster. I don't think that using tf to create the certificate would work well as we don't yet have a mechanism to support the lifecycle part of the cert. When the cert expires in 90 days using tf to replace it would be challenging as I understand the code today. I've been looking at whether it's possible to expose another ingress with a kube-lego cert and have that serve the console. At that point the existing ingress is used only for things like kubectl and the apiserver. |
|
I'll just warn that kube-lego only supports the HTTP challenge, so if we ever want TLS across multiple difference ingress resources (like, in two different clusters), you'll need to use something which supports the DNS challenge. |
|
Closing, as key rotation actually is unsolved as mentioned by @coresolve. Additionally #1811 provides a way to inject 3rd party certs for ingress (which can also be generated by let's encrypt/acme), hence this is unneeded. |
5 participants
This is an initial attempt to add letsencrypt support to the
installer.
It also starts factoring at least the ingress TLS setup to be a
separate module.
/cc @alexsomesan @mxinden @colhom