Question about using with letsencrypt

[ranhsd]

Hi , i am trying to implement this (that was written by you) and i need your help to clarify some things:

1. About the letsencrypt replication controller and service - do i need to expose the letsencrypt service the the internet or only as internal service in my cluster? If the service will exposed internal i assume that it will be used by the nginx-ssl-proxy service right?
2. In my domain settings (currently managed by goDaddy) i need to point my domain to a different IP address (according to letsencrypt docs) so i wanted to know what will be the IP address that my domain should points to.. the IP address of the nginx-ssl-proxy service or the IP address of the letsencrypt service?
3. Do i need to generate some *.pem files ahead (for cert and key) or everything will be done automatically when i will deploy both containers to kubernetes
4. Do you have a source where i can downloaded the yaml files for both (the letsecnrypt and the proxy pods) ?

Thanks in advanced!

[alexcouper]

Hi @ranhsd - good questions.

1. You only need an internal service in the cluster. nginx-ssl-proxy will route stuff through (specifically requests that go to /.well-known/acme-challenge) to the letsencrypt service
2. You'll just need to point your domain to the service in front of nginx-ssl-proxy. The letsencrypt pod will initiate a request for verification, letsencrypt will ask of http://{your-domain}/.well-known/acme-challenge and that request will route through to the pod where the challenge is found.
3. You may need to do this. I'd try without it but if you need to just any old thing will do - letsencrypt pod will recreate these via a cron and you can call this manually to get going first (just exec onto the pod and see what is in the crontab)
4. I don't have a source but I'll include below here what I'm using

[alexcouper]

Letsencrypt.yaml

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: letsencrypt-live-deployment
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: letsencrypt
        mode: live
    spec:
      containers:
      - name: letsencrypt
        image: ployst/letsencrypt:0.1.0
        env:
        - name: EMAIL
          value: {email-address}
        - name: DOMAINS
          value: foo.example.com bar.example.com
        - name: DEPLOYMENTS
          value: nginx-ssl-proxy-foo-live-deployment nginx-ssl-proxy-bar-live-deployment
        - name: SECRET_NAME
          value: certs-example.com
        - name: CRON_FREQUENCY
          value: '15 1 1 * *'
        ports:
        - name: ssl-proxy-http
          containerPort: 80

Proxy

I have 2 of these, one foo and one bar that both use the same certs gathered from the single letsencrypt pod above

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ssl-proxy-foo-live-deployment
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: nginx-ssl-proxy-foo
        mode: live
    spec:
      containers:
      - name: nginx-ssl-proxy-foo
        image: ployst/nginx-ssl-proxy:0.0.7
        env:
        - name: SERVICE_HOST_ENV_NAME
          value: FOO_SERVICE_SERVICE_HOST
        - name: SERVICE_PORT_ENV_NAME
          value: FOO_SERVICE_SERVICE_PORT
        - name: CERT_SERVICE_HOST_ENV_NAME
          value: CERT_SERVICE_SERVICE_HOST
        - name: CERT_SERVICE_PORT_ENV_NAME
          value: CERT_SERVICE_SERVICE_PORT
        - name: SERVER_NAME
          value: foo.example.com
        - name: ENABLE_SSL
          value: 'true'
        - name: ENABLE_BASIC_AUTH
          value: 'false'
        - name: WEB_SOCKETS
          value: 'true'
        ports:
        - name: ssl-proxy-http
          containerPort: 80
        - name: ssl-proxy-https
          containerPort: 443
        volumeMounts:
        - name: secrets
          mountPath: /etc/secrets
          readOnly: true
      volumes:
      - name: secrets
        secret:
          secretName: certs-example.com

[ranhsd]

Hi @alexcouper - thanks a lot for the detailed answer.. i will try it and will let you know.

[ranhsd]

Hi @alexcouper - do i need 2 additional yaml files for the nginx-ssl-proxy service and for the letsencrypt service? and about the * SERVICE_HOST_ENV_NAME* and * CERT_SERVICE_HOST_ENV_NAME* i assume that the CERT_SERVICE_HOST_ENV_NAME should point to the letsencrypt pod cluster IP address (this is correct?) but what about the CERT_SERVICE_HOST_ENV_NAME to where it should point?

thanks again.

[alexcouper]

You need to define the services separately, yes. I've again included samples below.

SERVICE_HOST_ENV_NAME and CERT_SERVICE_HOST_ENV_NAME are smarter than just clusterIP. Put in here the name of the environment variable that holds the ip address. K8S populates an env variable for every service so your pods can look up in the env what the service ip is - meaning that if the ip changes the pod just needs to be restarted (rather than config changed)

cert-service.yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    role: cert-app
  name: cert-service
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: letsencrypt
    mode: live
  type: ClusterIP

proxy service yaml

apiVersion: v1
kind: Service
metadata:
  name: ssl-proxy-api-service
spec:
  ports:
  - port: 443
    targetPort: 443
  - port: 80
    targetPort: 80
  selector:
    app: nginx-ssl-proxy-api
    mode: live
  type: LoadBalancer

Env vars

If you had the above 2 services along with a third named "ranhsd-service" that is your actual service (the one where requests eventually want to end up), you'd set:

- name: SERVICE_HOST_ENV_NAME
  value: RANHSD_SERVICE_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
  value: RANHSD_SERVICE_SERVICE_PORT
- name: CERT_SERVICE_HOST_ENV_NAME
  value: CERT_SERVICE_SERVICE_HOST
- name: CERT_SERVICE_PORT_ENV_NAME
  value: CERT_SERVICE_SERVICE_PORT