ungleich-k8s/archive/v3/certificates-dns.md
2021-10-18 15:15:52 +02:00

45 lines
1.3 KiB
Markdown

## Objective
Allow a service to acquire a DNS name and a certificate for the DNS
name.
## Potential flow
* A deployment (?) with annotations domain: xyz.example.com is created
* The DNS entry xyz.example.com pointing to the Service is created
* The certifcatce for xyz.example.com is requested/stored
* All pods get access to the certificate, serve https
## Certificate for a service [sketch]
* Have one pod listening on port 80 / doing certbot from time to time
* The cert is stored as a configmap (?) or other volume
* The application containers read the certificate
* ... and are restarted on ... ??
* Job+Cronjob could do the job
* Deletion of certificate?
* With the volume/configmap
* Port 80 of the IP nginx with certbot webroot
* webroot shared with certbot container
## DNS
* Could try to reuse existing CoreDNS
** Maybe even via https://coredns.io/plugins/kubernetes/
## Letsencrypt / Certificates for services [WIP]
* Maybe using certmanager
```
kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
```
## Container flow / certificate renewal
* Assume a shell script as init
* checking for the required certificate at /etc/letsencrypt/...
* starting nginx when available, caching the checksum (in a shell variable)
* Check the file once per hour, reload nginx if it happened