The purpose of this repository is to generate LetsEncrypt certificates using dehydrated and then post the updated certificate to a Kong api gateway.
The certificate generation is done using DNS verification rather than the .well-known folder. As a result you need to ensure that you have the correct priviledged on your GKE cluster in order to modify DNS records.
You could quite easily fork this and change this part of the script to send the certificates to something other than Kong, like some shared storage your NGINX server uses, or a Kubernetes secret used on ingress termination.
You need to specify the following environment variables when running the container:
- KONG_GATEWAY
- KONG_USER
- KONG_PASSWORD
- CONTACT_EMAIL
- FQDN
From there, do run locally, just do docker-compose run --rm letsencrypt.
As LetsEncrypt certs need periodically updating, you could run this container as a scheduled job. The following example would run this image once per month.
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "0 0 1 * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: letsencypt
image: eu.gcr.io/your-project/your-image-name