An Introduction to Kube-Lego
1 like2,242 views
Kube-Lego is an open source tool that automates certificate provisioning for Kubernetes using the ACME protocol and Let's Encrypt. It uses ingress resources and controllers to request and renew SSL/TLS certificates and configure services with HTTPS. Kube-Lego monitors ingress resources for changes and requests certificates from an ACME server by completing challenges, then deploys the certificates to ingress controllers like Nginx to secure services. Future work may include improved failure handling, configuring certificate options, and supporting additional ACME challenges.
An Introduction to Kube-Lego
- 1. Kube-Lego Automated certificate provisioning for Kubernetes using ACME https://github.com/jetstack/kube-lego @JetstackHQ Image: (CC BY-SA 4.0) Arto Alanenpää
- 2. ● ACME Protocol ● Ingress Resources & Controllers ● Kube-Lego Flow ● Demo ● Kube-Lego Roadmap Agenda
- 3. @ DNS admins in the audience, please point any hostname via a CNAME record to: kube-lego.jetstack.io and tweet the hostname @jetstackhq Demo Preparation
- 4. ACME / Let’s Encrypt Protocol ● Well defined Protocol for interacting with a CA ● Supports different challenges ○ HTTP ○ DNS ○ TLS-SNI ○ Proof of possession of a prior key ● User account ● Maximum certificate lifetime 90 days Automated Certificate Management Environment
- 5. Ingress-Controller Resource spec: rules: - host: foo.bar.com http: paths: - backend: serviceName: s1 servicePort: 80 - host: bar.foo.com http: paths: - backend: serviceName: s2 servicePort: 80 ● More advanced than services ● Not implemented in tree ● L4 - L7
- 6. Ingress-Controller Nginx ● Runs inside your cluster ● Exposed through services (typically type=LoadBalancer) ● Listens to changes of Ingress resources via K8S-API => writes out nginx.conf and reloads nginx ● Custom configuration easily possible ○ Basic Auth ○ HSTS ○ LDAP Auth
- 7. SSL Report Nginx has A+ Grade rating
- 8. Ingress-Controller Google Cloud Engine Load Balancers ● L7 Load Balancing as a service ● Depending on features of GCE Forwarding Rules ● Ingress controller watches changes in K8S API and configures GCE accordingly ● One ingress object equals one Load Balancer in K8S ● Servics need to be of type=NodePort
- 9. Ingress-Controller Use different Ingress controllers ● Selection of the right controller using annotation: kubernetes.io/ingress.class: "nginx" kubernetes.io/ingress.class: "gce" ● Same ingress configuration is handled differently on GCE vs. NGINX ○ Paths / vs. /* ○ Order of backends ○ Aggregation of multiple resources vs. isolated instances
- 18. Demo
- 19. Future Work / Roadmap Kube-Lego roadmap ● Better failure handling (marking requests as permanent failed) ● Specify namespaces to watch ● Configure key length and algorithm ● Support TLS-SNI challenge ● Revoke certificates after they have been replaced