Switch to DNS-01 ACME challenges

vmware-archive / kube-prod-runtime

A standard infrastructure environment for Kubernetes

Apache License 2.0

767 stars 135 forks source link

Switch to DNS-01 ACME challenges #304

Open anguslees opened 5 years ago

anguslees commented 5 years ago

DNS-based ACME (letsencrypt) challenges are simpler and more robust than HTTP challenges, because it avoids all the Ingress merging/mangling.

Also:

We already require a managed DNS zone for external-dns, so this is not a new large requirement. It does mean the managed DNS solution needs to be supported by both external-dns and certmanager, however.
DNS challenges don't require a public IP, so will work with private clusters or internal LBs (provided public DNS names are still allowed)

EamonKeane commented 5 years ago

This would be nice to see - we could then turn on --default-ssl-certificate and have ingresses automatically use the wildcard cert.

https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

SailingYYC commented 5 years ago

I concur with @anguslees, I'm looking to implement BKPR across the board, but our Prod clusters have no public ingresses. Is there a plan to put this on the roadmap?