Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Kube-Lego
Automated certificate provisioning for Kubernetes using ACME
https://github.com/jetstack/kube-lego
@JetstackHQ
I...
● ACME Protocol
● Ingress Resources & Controllers
● Kube-Lego Flow
● Demo
● Kube-Lego Roadmap
Agenda
@ DNS admins in the audience, please point any hostname via
a CNAME record to:
kube-lego.jetstack.io
and tweet the hostnam...
ACME / Let’s Encrypt Protocol
● Well defined Protocol for interacting with a CA
● Supports different challenges
○ HTTP
○ D...
Ingress-Controller
Resource
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: s1
servicePort: 80
- hos...
Ingress-Controller
Nginx
● Runs inside your cluster
● Exposed through services (typically type=LoadBalancer)
● Listens to ...
SSL Report
Nginx has A+ Grade rating
Ingress-Controller
Google Cloud Engine Load Balancers
● L7 Load Balancing as a service
● Depending on features of GCE Forw...
Ingress-Controller
Use different Ingress controllers
● Selection of the right controller using
annotation:
kubernetes.io/i...
Demo
Future Work / Roadmap
Kube-Lego roadmap
● Better failure handling (marking requests as permanent failed)
● Specify namespa...
Further Information
christian@jetstack.io
github.com/jetstack/kube-lego
@JetstackHQ
Christian Simon
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
An Introduction to Kube-Lego
Upcoming SlideShare
Loading in …5
×

An Introduction to Kube-Lego

1,287 views

Published on

Automated certificate provisioning for Kubernetes using ACME

Kubernetes Meetup London Aug 2016

Published in: Software
  • Be the first to comment

An Introduction to Kube-Lego

  1. 1. Kube-Lego Automated certificate provisioning for Kubernetes using ACME https://github.com/jetstack/kube-lego @JetstackHQ Image: (CC BY-SA 4.0) Arto Alanenpää
  2. 2. ● ACME Protocol ● Ingress Resources & Controllers ● Kube-Lego Flow ● Demo ● Kube-Lego Roadmap Agenda
  3. 3. @ DNS admins in the audience, please point any hostname via a CNAME record to: kube-lego.jetstack.io and tweet the hostname @jetstackhq Demo Preparation
  4. 4. ACME / Let’s Encrypt Protocol ● Well defined Protocol for interacting with a CA ● Supports different challenges ○ HTTP ○ DNS ○ TLS-SNI ○ Proof of possession of a prior key ● User account ● Maximum certificate lifetime 90 days Automated Certificate Management Environment
  5. 5. Ingress-Controller Resource spec: rules: - host: foo.bar.com http: paths: - backend: serviceName: s1 servicePort: 80 - host: bar.foo.com http: paths: - backend: serviceName: s2 servicePort: 80 ● More advanced than services ● Not implemented in tree ● L4 - L7
  6. 6. Ingress-Controller Nginx ● Runs inside your cluster ● Exposed through services (typically type=LoadBalancer) ● Listens to changes of Ingress resources via K8S-API => writes out nginx.conf and reloads nginx ● Custom configuration easily possible ○ Basic Auth ○ HSTS ○ LDAP Auth
  7. 7. SSL Report Nginx has A+ Grade rating
  8. 8. Ingress-Controller Google Cloud Engine Load Balancers ● L7 Load Balancing as a service ● Depending on features of GCE Forwarding Rules ● Ingress controller watches changes in K8S API and configures GCE accordingly ● One ingress object equals one Load Balancer in K8S ● Servics need to be of type=NodePort
  9. 9. Ingress-Controller Use different Ingress controllers ● Selection of the right controller using annotation: kubernetes.io/ingress.class: "nginx" kubernetes.io/ingress.class: "gce" ● Same ingress configuration is handled differently on GCE vs. NGINX ○ Paths / vs. /* ○ Order of backends ○ Aggregation of multiple resources vs. isolated instances
  10. 10. Demo
  11. 11. Future Work / Roadmap Kube-Lego roadmap ● Better failure handling (marking requests as permanent failed) ● Specify namespaces to watch ● Configure key length and algorithm ● Support TLS-SNI challenge ● Revoke certificates after they have been replaced
  12. 12. Further Information christian@jetstack.io github.com/jetstack/kube-lego @JetstackHQ Christian Simon

×