search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Adding custom annotations to the kube-lego generated ingresses #203

Closed 2color closed 7 years ago

2color commented 7 years ago

Adding custom annotations to the kube-lego generated ingresses

Problem

In my global nginx-ingress-controller configuration I set the whitelist-source-range to allow traffic only from specific IPs. This means that the kube-lego generated ingress (see below) for the ACME challenge cannot be accessed by let's encrypt. 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme-challenge-endpoints: "true"
  creationTimestamp: 2017-05-23T10:54:33Z
  generation: 24
  name: kube-lego-nginx
  namespace: kube-lego
  resourceVersion: "11479082"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-lego/ingresses/kube-lego-nginx
  uid: 3497760c-3fa6-11e7-91bb-42010af0017f
spec:
  rules:
  - host: OUR_HOSTNAME
    http:
      paths:
      - backend:
          serviceName: kube-lego-nginx
          servicePort: 8080
        path: /.well-known/acme-challenge

Suggestion

Add a configuration option to kube-lego to allow defining a custom annotation (ingress.kubernetes.io/whitelist-source-range) for the challenge ingress.

munnerz commented 7 years ago

I'm going to close this for now, as #114 has been merged.

If there's a need in future arbitrary annotations to be added to ingresses, we can revisit this. But given the extra complexity this may bring, I'm hesitant to force a particular implementation now before we know the use cases.