堆栈内存溢出
  简体   繁体   English

使用Kubernetes Service处理TLS LetsEncrypt的良好做法

[英]Good practices for handling TLS LetsEncrypt with Kubernetes Service

 原文  2017-06-10 14:44:49       ssl/ nginx/ kubernetes/ google-cloud-platform/ lets-encrypt

问题描述

Considering a Nginx reverse-proxy handling TLS LetsEncrypt certificates "in front" of a backend service, what is the good deployment architecture of this setup on Kubernetes ? 考虑到Nginx反向代理处理TLS LetsEncrypt证书在后端服务“前面”,此设置在Kubernetes上的良好部署架构是什么?

My first thought was do make a container with both Nginx and my server in a container as a Stateful Set. 我的第一个想法是使用Nginx和服务器将一个容器同时作为有状态集创建在一个容器中。 All those stateful sets have access to a volume mounted on /etc/nginx/certificates . 所有这些有状态集都可以访问/etc/nginx/certificates上安装的卷。 All those containers are running a cron and are allowed to renew those certificates. 所有这些容器都在运行cron,并允许续订这些证书。

However, I do not think it's the best approach. 但是,我认为这不是最好的方法。 This type of architecture is made to be splited, not running completely independant services everwhere. 这种类型的体系结构是可拆分的,不会在任何地方运行完全独立的服务。

Maybe I should run an independent proxy service which handle certificates and does the redirection to the backend server deployment ( ingress + job for certificate renewal) ? 也许我应该运行一个独立的代理服务来处理证书,并且是否重定向到后端服务器部署(用于证书更新的ingress + job )?

If you are using a managed service (such as GCP HTTPS Load Balancer), how do you issue a publicly trusted certificate and renew your it? 如果您使用的是托管服务(例如GCP HTTPS负载均衡器),则如何发行公共信任的证书并更新证书?

1 个解决方案

解决方案1
 1 已采纳  2017-06-11 12:38:36

You want kube-lego . 你想要kube-lego

kube-lego automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt kube-lego从Let's Encrypt自动为Kubernetes Ingress资源申请证书

It works with GKE+LoadBalancer and with nginx-ingress as well. 它可以与GKE + LoadBalancer和nginx-ingress一起使用。 Usage is trivial; 用法微不足道; automatic certificate requests (including renewals); 自动证书申请(包括续签); uses LetsEncrypt. 使用LetsEncrypt。

The README says -perhaps tongue in the cheek- that you need a non production use case. 自述文件说-也许是说对了-您需要一个非生产用例。 I have been using it for production and I have found it to be reliable enough. 我已经将其用于生产,并且发现它已经足够可靠。

(Full disclosure: I'm loosely associated with the authors but not paid to advertise the product) (完全披露:我与作者之间有松散的联系,但并未为广告产品付费)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用TLS保护Kubernetes服务 - Securing Kubernetes Service with TLS Kubernetes 入口 TLS 未使用无头服务创建 - Kubernetes Ingress TLS not being created with headless service 重用 kubernetes letencrypt 证书 - Reuse kubernetes letsencrypt certificate 与 tls 服务器和 letencrypt 的 ssl 连接 - ssl connection with tls server and letsencrypt 如何在我的 kubernetes 服务中使用证书管理器 letencrypt-prod? - How can I use Cert manager letsencrypt-prod in my kubernetes service? 使用https和TLS保护Kubernetes集群中的内部服务通信 - Securing internal service communication in a Kubernetes cluster with https and TLS TLS安全的etcd上的Kubernetes - Kubernetes on TLS secured etcd Kubernetes ingress tls - Kubernetes ingress tls Kubernetes NGINX入口TLS问题 - Kubernetes NGINX Ingress TLS issue Dotnet 5 Kubernetes TLS 在生产中失败 - Dotnet 5 Kubernetes TLS fails in production
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM