Home

Awesome

kube-lego

:warning:

kube-lego is no longer maintained. The officially endorsed successor is cert-manager.

If you are a current user of kube-lego, you can find a migration guide here.

:warning:

kube-lego automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt

Build Status

Screencast

Kube Lego screencast

Features

Requirements

Usage

run kube-lego

The default value of LEGO_URL is the Let's Encrypt staging environment. If you want to get "real" certificates you have to configure their production env.

how kube-lego works

As soon as the kube-lego daemon is running, it will create a user account with LetsEncrypt, make a service resource, and look for ingress resources that have this annotation:

metadata:
  annotations:
    kubernetes.io/tls-acme: "true"

Every ingress resource that has this annotation will be monitored by kube-lego (cluster-wide in all namespaces). The only part that is watched is the list spec.tls. Every element will get its own certificate through Let's Encrypt.

Let's take a look at this ingress resource:

spec:
  tls:
  - secretName: mysql-tls
    hosts:
    - phpmyadmin.example.com
    - mysql.example.com
  - secretName: postgres-tls
    hosts:
    - postgres.example.com

On finding the above resource, the following happens:

  1. An ingress resource is created coordinating where to send acme challenges for the said domains.

  2. kube-lego will then perform its own check for i.e. http://mysql.example.com/.well-known/acme-challenge/_selftest to ensure all is well before reaching out to letsencrypt.

  3. kube-lego will obtain two certificates (one with phpmyadmin.example.com and mysql.example.com, the other with postgres.example.com).

Please note:

Switching from staging to production

At some point you'll be ready to use LetsEncrypt production API URL. To make the switch in kube-lego, please do the following:

Ingress controllers

Nginx Ingress Controller

GCE Loadbalancers

Environment variables

NameRequiredDefaultDescription
LEGO_EMAILy-E-Mail address for the ACME account, used to recover from lost secrets
LEGO_POD_IPy-Pod IP address (use the downward API)
LEGO_NAMESPACEndefaultNamespace where kube-lego is running in
LEGO_URLnhttps://acme-staging.api.letsencrypt.org/directoryURL for the ACME server. To get "real" certificates set to the production API of Let's Encrypt: https://acme-v01.api.letsencrypt.org/directory
LEGO_SECRET_NAMEnkube-lego-accountName of the secret in the same namespace that contains ACME account secret
LEGO_SERVICE_SELECTORnkube-legoSet the service selector to the the kube-lego pod
LEGO_SERVICE_NAME_NGINXnkube-lego-nginxService name for NGINX ingress
LEGO_SERVICE_NAME_GCEnkube-lego-gceService name for GCE ingress
LEGO_SUPPORTED_INGRESS_CLASSnnginx,gceSpecify the supported ingress class
LEGO_SUPPORTED_INGRESS_PROVIDERnnginx,gceSpecify the supported ingress provider
LEGO_INGRESS_NAME_NGINXnkube-lego-nginxIngress name which contains the routing for HTTP verification for nginx ingress
LEGO_PORTn8080Port where this daemon is listening for verifcation calls (HTTP method)
LEGO_CHECK_INTERVALn8hInterval for periodically certificate checks (to find expired certs)
LEGO_MINIMUM_VALIDITYn720h (30 days)Request a renewal when the remaining certificate validity falls below that value
LEGO_DEFAULT_INGRESS_CLASSnnginxDefault ingress class for resources without specification
LEGO_DEFAULT_INGRESS_PROVIDERn$LEGO_DEFAULT_INGRESS_CLASSDefault ingress provider for resources without specification
LEGO_KUBE_API_URLnhttp://127.0.0.1:8080API server URL
LEGO_LOG_LEVELninfoSet log level (debug, info, warn or error)
LEGO_LOG_TYPEntextSet log type. Only json as custom value supported, everything else defaults to default logrus textFormat
LEGO_KUBE_ANNOTATIONnkubernetes.io/tls-acmeSet the ingress annotation used by this instance of kube-lego to get certificate for from Let's Encrypt. Allows you to run kube-lego against staging and production LE
LEGO_WATCH_NAMESPACEn``Namespace that kube-lego should watch for ingresses and services
LEGO_RSA_KEYSIZEn2048Size of the private RSA key
LEGO_EXPONENTIAL_BACKOFF_MAX_ELAPSED_TIMEn5mMax time to wait for each domain authorization attempt
LEGO_EXPONENTIAL_BACKOFF_MAX_INITIAL_INTERVALn30sInitial interval to wait for each domain authorization attempt
LEGO_EXPONENTIAL_BACKOFF_MAX_MULTIPLIERn2.0Multiplier for every step

Full deployment examples

Troubleshooting

When interacting with kube-lego, its a good idea to run with LEGO_LOG_LEVEL=debug for more verbose details. Additionally, be aware of the automatically created resources (see environment variables) when cleaning up or testing.

Possible resources for help:

There is also a good chance to get some support on non-official support channels for kube-lego, but be aware that these are rather general kubernetes discussion channels.

Enable the pprof tool

To enable the pprof tool run kube-lego with environment LEGO_LOG_LEVEL=debug.

Capture 20 seconds of the execution trace:

$ wget http://localhost:8080/debug/pprof/trace?seconds=20 -O kube-lego.trace

You can inspect the trace sample running

$ go tool trace kube-lego.trace

Authors