[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Let's Encrypt controller for OpenShift



Thanks you all for the feedback and to Rajat for the offer to help.

I've looked into it and I like two of them as a basis for my controller
implementation; kube-lego[11] and kube-cert-manager[10]. Mostly because
they seem to be closest to a proper solution. Both of them are missing
some part of functionality that the other one has. Like kube-cert-
manager doesn't work with ingress, but creates certificate objects that
can be mounted to the pods as secrets and supports dns-01 challenge.
But both don't support OpenShift Routes.

I definitely want this new project to be production ready and to have a
native support for OpenShift as well as Kubernetes.

I will work on a proposal for those interested to vet, but in the
meantime here are some important features for the design I have in
mind:

- Native support for OpenShift Routes

- Support for Ingress

- Generating certificate objects or secrets mountable into pods
  There are multiple termination policies and if you are not
terminating SSL on the router you need to mount certificates to pods.
Also for non HTTP(S) protocols.

- dns-01 challenge (for generating certificates in case of not using
HTTP(S) protocol or being behind firewall, VPN)

- Automated certificate renewal


Regards,
Tomas


[10] - https://github.com/kelseyhightower/kube-cert-manager
[11] - https://github.com/jetstack/kube-lego

On Thu, 2016-11-24 at 14:35 +0100, Tomas Nozicka wrote:
> I've been thinking for a long time about some kind of support for
> Let's
> Encrypt [1] in OpenShift. In the meantime Kelsey Hightower came with
> his PoC for Kubernetes [2]. It's a great starting point although it
> will need modifications to work with OpenShift's router. Actually I
> thing that in combination with the router it becomes more powerful,
> because your app does not even need to support https and reading
> certificates if your route is set to edge termination.
> 
> The main goal here is to provide OpenShift users with valid
> certificates for free and enable HTTPS for everyone. It will also
> take
> care about certificates renewal.
> 
> I believe this could be a great feature for OpenShift. I know I
> definitely want this for my server at home, but I think this could
> even
> work for Online, but let's not get ahead of ourself. It would make an
> awesome demo if you could just create a route for your service in
> OpenShift and get HTTPS (with a valid certificate) out of the box; or
> after installing the controller.
> 
> I would be interested in writing such controller for OpenShift based
> on
> Kelsey's work, but I would appreciate some form of guidance from
> someone who knows the router or in general. I'd like to build this as
> an OSS with production quality; not just PoC.
> 
> And I wanted to check if someone isn't already working on that?
> 
> 
> Thanks,
> Tomas
> 
> [1] - https://letsencrypt.org/
> [2] - https://github.com/kelseyhightower/kube-cert-manager


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]