1.3 KiB
1.3 KiB
Objective
Allow a service to acquire a DNS name and a certificate for the DNS name.
Potential flow
- A deployment (?) with annotations domain: xyz.example.com is created
- The DNS entry xyz.example.com pointing to the Service is created
- The certifcatce for xyz.example.com is requested/stored
- All pods get access to the certificate, serve https
Certificate for a service [sketch]
- Have one pod listening on port 80 / doing certbot from time to time
- The cert is stored as a configmap (?) or other volume
- The application containers read the certificate
- ... and are restarted on ... ??
- Job+Cronjob could do the job
- Deletion of certificate?
- With the volume/configmap
- Port 80 of the IP nginx with certbot webroot
- webroot shared with certbot container
DNS
- Could try to reuse existing CoreDNS ** Maybe even via https://coredns.io/plugins/kubernetes/
Letsencrypt / Certificates for services [WIP]
- Maybe using certmanager
kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
Container flow / certificate renewal
- Assume a shell script as init
- checking for the required certificate at /etc/letsencrypt/...
- starting nginx when available, caching the checksum (in a shell variable)
- Check the file once per hour, reload nginx if it happened