search

ployst / docker-nginx-ssl-proxy

http://blog.ployst.com/development/2015/12/22/letsencrypt-on-kubernetes.html
Apache License 2.0
24 stars 18 forks source link

Can't map two secrets to /etc/secrets #9

Open bitmage opened 7 years ago

bitmage commented 7 years ago

Kubernetes doesn't support mapping two secrets to the same directory... They're mounted as volumes and you can't put one volume inside another or merge the keys in any way.

In the meantime, is there something we can do with this container to make it easier to work with? Possible solutions:

  1. Make the auth secret location configurable, e.g. AUTH_LOCATION.
  2. Put the auth secret in a different place, e.g. /etc/auth/htpasswd.

1 would be more backward compatible, but is anyone successfully utilizing the current configuration? 2 avoids adding an additional config parameter, and feels a little bit more aware of the present kubernetes limitations.

alexcouper commented 7 years ago

I'm assuming that you're wanting to use a single nginx proxy for multiple letsencrypt (or otherwise) provided certs and hosts.

Up until now I've been running one per domain name - but yes this seems less than ideal.

But maybe this isn't what you're saying because there would be more issues than just this - for example the servername only allows one at the moment etc.

So maybe you could provide some more (zoomed out) details of what it is you're trying to do?

bitmage commented 7 years ago

Oh, I'm actually running multiple domains successfully, both with the proxy and the cert service. Servername works with space separation, per the nginx spec. But that's not what's going on here.

In this case it's just a volume mounting issue. You can't mount two secrets volumes in the same directory. The problem is I'm getting my cert secrets from one secret instance (created by the letsencrypt container), and my auth secret from another secret instance (created manually).

I have to do a bunch of symlinking right now to get Kubernetes to put all these files in the same place. It would be easier if they were just separate directories, one for certs and the other for auth. I know it seems like a weird way to orient the file system, just trying to think of workarounds for Kubernetes' current limitations.

On Mar 30, 2017, at 3:13 PM, Alex Couper notifications@github.com wrote:

I'm assuming that you're wanting to use a single nginx proxy for multiple letsencrypt (or otherwise) provided certs and hosts.

Up until now I've been running one per domain name - but yes this seems less than ideal.

But maybe this isn't what you're saying because there would be more issues than just this - for example the servername only allows one at the moment etc.

So maybe you could provide some more details of what it is you're trying to do?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.