45 lines
1.3 KiB
Markdown
45 lines
1.3 KiB
Markdown
## Objective
|
|
|
|
Allow a service to acquire a DNS name and a certificate for the DNS
|
|
name.
|
|
|
|
## Potential flow
|
|
|
|
* A deployment (?) with annotations domain: xyz.example.com is created
|
|
* The DNS entry xyz.example.com pointing to the Service is created
|
|
* The certifcatce for xyz.example.com is requested/stored
|
|
* All pods get access to the certificate, serve https
|
|
|
|
## Certificate for a service [sketch]
|
|
|
|
* Have one pod listening on port 80 / doing certbot from time to time
|
|
* The cert is stored as a configmap (?) or other volume
|
|
* The application containers read the certificate
|
|
* ... and are restarted on ... ??
|
|
* Job+Cronjob could do the job
|
|
* Deletion of certificate?
|
|
* With the volume/configmap
|
|
* Port 80 of the IP nginx with certbot webroot
|
|
* webroot shared with certbot container
|
|
|
|
|
|
## DNS
|
|
|
|
* Could try to reuse existing CoreDNS
|
|
** Maybe even via https://coredns.io/plugins/kubernetes/
|
|
|
|
## Letsencrypt / Certificates for services [WIP]
|
|
|
|
* Maybe using certmanager
|
|
|
|
```
|
|
kubectl apply -f
|
|
https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
|
|
```
|
|
|
|
## Container flow / certificate renewal
|
|
|
|
* Assume a shell script as init
|
|
* checking for the required certificate at /etc/letsencrypt/...
|
|
* starting nginx when available, caching the checksum (in a shell variable)
|
|
* Check the file once per hour, reload nginx if it happened
|