55 lines
1.8 KiB
Markdown
55 lines
1.8 KiB
Markdown
## ungleich-certbot
|
|
|
|
This container is made for getting **real world** certificates
|
|
for your kubernetes cluster.
|
|
|
|
The assumption is that you can point the DNS name to the container
|
|
from outside. This is by default given for **IPv6 only kubernetes
|
|
services**.
|
|
|
|
|
|
## Usage
|
|
|
|
* Set the environment variable DOMAIN to specify the domain for which
|
|
to get a certificate
|
|
* Set the environment variable EMAIL (this is where letsencrypt sends
|
|
warnings to)
|
|
* Set the environment variable STAGING to "no" if you want to have
|
|
proper certificates - this is to prevent you from asking the real
|
|
letsencrypt service accidently by default
|
|
* By default the container allows world read access to the
|
|
certificates, so that non-root users can access the certificates.
|
|
Set the LEAVE_PERMISSIONS_AS_IS environment variable to instruct the
|
|
container not to change permissions
|
|
|
|
```
|
|
docker run -e DOMAIN=example.com \
|
|
-e EMAIL=root@example.com \
|
|
ungleich/ungleich-certbot
|
|
```
|
|
|
|
### Exiting after getting the certificate
|
|
|
|
By default, the container will stay alive and try to renew the
|
|
certificate every 86400 seconds. If you set the environment variable
|
|
`ONLYGETCERT`, then it will only get the certificates and exit.
|
|
|
|
### Only renewing the certificate
|
|
|
|
If you only want to trigger renewing existing certificates and skip
|
|
getting the certificates initially, you can set the variable
|
|
`RENEWCERTSONCE`, then it will only renew all certificates and exit.
|
|
|
|
* If `ONLYRENEWCERTS` is set, only the reguler renew loop will run.
|
|
* If `ONLYRENEWCERTSONCE` is set, renew will be run once and then the
|
|
container exits
|
|
|
|
## Volumes
|
|
|
|
If you want to keep / use your certificates, you are advised to create
|
|
a volume below /etc/letsencrypt.
|
|
|
|
## Kubernetes
|
|
|
|
See https://code.ungleich.ch/ungleich-public/ungleich-k8s/.
|