ungleich-k8s/archive/v3/certificates-dns.md
2021-10-18 15:15:52 +02:00

1.3 KiB

Objective

Allow a service to acquire a DNS name and a certificate for the DNS name.

Potential flow

  • A deployment (?) with annotations domain: xyz.example.com is created
  • The DNS entry xyz.example.com pointing to the Service is created
  • The certifcatce for xyz.example.com is requested/stored
  • All pods get access to the certificate, serve https

Certificate for a service [sketch]

  • Have one pod listening on port 80 / doing certbot from time to time
    • The cert is stored as a configmap (?) or other volume
  • The application containers read the certificate
    • ... and are restarted on ... ??
  • Job+Cronjob could do the job
  • Deletion of certificate?
    • With the volume/configmap
  • Port 80 of the IP nginx with certbot webroot
    • webroot shared with certbot container

DNS

Letsencrypt / Certificates for services [WIP]

  • Maybe using certmanager
kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

Container flow / certificate renewal

  • Assume a shell script as init
  • checking for the required certificate at /etc/letsencrypt/...
  • starting nginx when available, caching the checksum (in a shell variable)
  • Check the file once per hour, reload nginx if it happened