Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Let's Encrypt Certificates for LoadBalancers #92

Open
andrewsykim opened this issue May 9, 2018 · 12 comments
Open

Support Let's Encrypt Certificates for LoadBalancers #92

andrewsykim opened this issue May 9, 2018 · 12 comments

Comments

@andrewsykim
Copy link
Contributor

andrewsykim commented May 9, 2018
edited
Loading

Need to pull in the latest version of godo that includes digitalocean/godo#165.

Get DNS names from annotations?

cc @cagedmantis
@xmudrii
Copy link
Contributor

xmudrii commented May 9, 2018

godo updated in #93.

I don't believe digitalocean-cloud-controller-manager currently supports Certificates (IIRC, you can only uses existing one with ID). So, we'll need to add annotations for Certificate payload (private key, certificate chain, leaf certificate) and type (custom or lets_encrypt).

DNS names maybe could be obtained from API, not sure are there annotations by default.

@andrewsykim
Copy link
Contributor Author

andrewsykim commented May 10, 2018
edited
Loading

That is true, the current implementation of LBs require that the certificate was already created and that you know the certificate ID. The new Let's Encrypt feature means that we don't have to have the certificate created, we just need a DigitalOcean domain that we can use.

One thing to note is that the Let's Encrypt feature currently does not support wildcard domains, meaning that though users don't need to manually create certificates, they still need to manually create a domain at least once. From there we may want to programmatically create subdomains so users don't have to create them for every LB.

@sonamsamdupkhangsar
Copy link

Does DigitalOcean Kubernetes have the ability to use lets encrypt to use a domain name with https?
There are docs online but not sure if there is an update or examples on how to do this.

@EnigmaCurry
Copy link

EnigmaCurry commented Jan 7, 2019 via email

@Miniland1333
Copy link

letsdothis
Just to make sure, are you looking for the ability to utilize Let's Encrypt Certificates on DigitalOcean loadbalancer for Kubernetes? I had been delaying a project of mine because of this, but I found out that it is already baked into the loadbalancer that is pointing at my cluster. If you select HTTPS ingress, it just asks for which certificate to use exactly as it would for a non-kubernetes pointing loadbalancer!

@wayne-o
Copy link

wayne-o commented Feb 25, 2019

I have a chicken and egg problem with this that i don't know how to fix unless the LE inttegration is there?

The LB needs to have the cert ID added as an annotation but I don't know the IP of the LB until it is created.

How are people getting around this?

@nickpack
Copy link

@wayne-o I gave up on this entirely and set up an nginx ingress controller and cert-manager to handle it instead.

@wayne-o
Copy link

wayne-o commented Feb 25, 2019 via email

@timoreimann
Copy link
Contributor

With godo now supporting Let's Encrypt, it should be possible to make the necessary extensions to CCM. I haven't had the bandwidth to push this myself, though. If any volunteer would like follow up on the discussion that started earlier in this issue and take a stab on a PR, however, I'd be happy to assist and review.

@acejam
Copy link

acejam commented Apr 26, 2019

One thing I noticed is that a user can specify a Let's Encrypt certificate ID by annotation. For example:

"service.beta.kubernetes.io/do-loadbalancer-certificate-id" = "234h23h32-2244-4jk4-k4723-72b2f36ce721"

I'm currently doing this with a service of mine.

However - when a Let's Encrypt certificate expires, the certificate ID in DO's system changes. DO is currently "smart" enough to update the load balancer with the new certificate - but does one need to worry about having to update their Kubernetes Service definition too?

The problem is the certificate update occurs in an automated fashion prior to certificate expiration. This is great - the cert won't expire, but you don't know when it's going to happen.

@waynr waynr mentioned this issue Sep 5, 2019
Merged
8 tasks
@timoreimann
Copy link
Contributor

@acejam apologies for the late response.

The issue you describe about LE certificates being updated automatically for LBs but not for Services is indeed a problem. We have started work on PR 274 (link right above this message) that is going to address the problem.

/cc @waynr @snormore

@nicktate nicktate mentioned this issue Nov 13, 2019
Open
@nicolas-laduguie
Copy link

Just a feedback about this - Oracle cloud is managing the load balancers with their controller in the way that you are responsible for creating the TLS secret in Kubernetes (manually or with certmanager), and you configure your loadbalancer service giving it the annotation service.beta.kubernetes.io/oci-load-balancer-tls-secret
When the controller creates the load balancer on cloud provider side, it gives it your certificate.
I would be in favor of such behavior because depending on what is your DNS provider/certificate provider, it's more flexible if you don't delegate certificate creation to DO.
See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancers-subtopic.htm#creatinglbhttps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests