Add an ACME/letsencrypt sandbox

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy

https://www.envoyproxy.io

Apache License 2.0

24.48k stars 4.72k forks source link

Add an ACME/letsencrypt sandbox #13828

Open phlax opened 3 years ago

phlax commented 3 years ago

description

Even though Envoy doesnt have native support for ACME (at least not in the way traefik eg does), i think its a very popular concern

As i understand it, ACME support atm relies on a certbot sidecar to do renewal etc

I think it would be useful to provide a sandbox implementation of this method at least, and in the future if #96 is resolved we can update

I believe it would be possible to create this sandbox using the Pebble ACME server for demonstration purposes

refs

phlax commented 3 years ago

one thing im not clear about is whether an additional file/web server is required to serve the .well-known dir

phlax commented 3 years ago

seems like we may be able to use the cache filter to provide the well-known key

any thoughts on this @mattklein123 ?

mattklein123 commented 3 years ago

any thoughts on this @mattklein123 ?

I think a better plan would probably be to just use the SDS API (or raw file system watches) to watch a directory that gets rotated with the secrets? I think that is how most people do this.

phlax commented 3 years ago

watch a directory that gets rotated with the secrets?

is that for the well-known dir as well as the certs (assuming certbot uses webroot) ?

mattklein123 commented 3 years ago

is that for the well-known dir as well as the certs (assuming certbot uses webroot) ?

TBH I don't know much about this. I would probably take a look at what Ambassador and Contour do and try to simplify/replicate that?

phlax commented 3 years ago

look at what Ambassador and Contour do and try to simplify/replicate that?

afaict Ambassador and Contour both use cert-manager which is a kubernetes thing

cert-manager (afaict from quick view of source) uses webroot under the hood

to use webroot, we need to be able to (from vague memory):

initiate a request, and receive a token
place the token in the specified .well-known public http path that the ACME server can see
request and receive the actual cert
store cert/make available to https endpoint

if we use a certbot side car it will take care of steps 1-3 with the exception of actually serving the .well-known token

phlax commented 3 years ago

i think to move forward on this i will set it up initially with nginx to serve the dir, and once its working that way we can figure out if/how to remove the web server bit