Open phlax opened 3 years ago
one thing im not clear about is whether an additional file/web server is required to serve the .well-known
dir
seems like we may be able to use the cache
filter to provide the well-known key
any thoughts on this @mattklein123 ?
any thoughts on this @mattklein123 ?
I think a better plan would probably be to just use the SDS API (or raw file system watches) to watch a directory that gets rotated with the secrets? I think that is how most people do this.
watch a directory that gets rotated with the secrets?
is that for the well-known
dir as well as the certs (assuming certbot uses webroot) ?
is that for the well-known dir as well as the certs (assuming certbot uses webroot) ?
TBH I don't know much about this. I would probably take a look at what Ambassador and Contour do and try to simplify/replicate that?
look at what Ambassador and Contour do and try to simplify/replicate that?
afaict Ambassador and Contour both use cert-manager which is a kubernetes thing
cert-manager (afaict from quick view of source) uses webroot under the hood
to use webroot, we need to be able to (from vague memory):
.well-known
public http path that the ACME server can seeif we use a certbot side car it will take care of steps 1-3 with the exception of actually serving the .well-known
token
i think to move forward on this i will set it up initially with nginx to serve the dir, and once its working that way we can figure out if/how to remove the web server bit
description
Even though Envoy doesnt have native support for ACME (at least not in the way traefik eg does), i think its a very popular concern
As i understand it, ACME support atm relies on a
certbot
sidecar to do renewal etcI think it would be useful to provide a sandbox implementation of this method at least, and in the future if #96 is resolved we can update
I believe it would be possible to create this sandbox using the Pebble ACME server for demonstration purposes
refs
96