Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using Voyager and Let's Encrypt in multiple Kubernetes clusters in different regions #687

Closed
tamalsaha opened this issue Nov 5, 2017 · 2 comments

Comments

Projects
None yet
1 participant
@tamalsaha
Copy link
Member

commented Nov 5, 2017

From @greg-jaunt in slack:

I currently have two Kubernetes clusters in two different AWS regions behind a single geolocating Route 53 DNS CNAME that routes to the same service running behind Voyager in both clusters. Today I am hand-configuring the same Let's Encrypt cert in each cluster.
If I switch to using Let's Encrypte certs that are auto-generated by Voyager, will the competing certificate requests from each of the two clusters cause issues with Let's Encrypt, or will LE happily generate two valid certs on the same day for the same DNS name? Given the 4-requests-a-day rule (and looking forward to having more than 4 clusters), will LE care if I use a unique email address for the cert request in each cluster? Could the renewal fail if Voyager is trying to do DNS validation to renew the cert in both clusters at the same time? Is so, is there any way to control the renewal timing?

@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented Nov 5, 2017

If I switch to using Let's Encrypte certs that are auto-generated by Voyager, will the competing certificate requests from each of the two clusters cause issues with Let's Encrypt, or will LE happily generate two valid certs on the same day for the same DNS name?

This should work. But applicable rate limiting will be applied by LE.

Given the 4-requests-a-day rule (and looking forward to having more than 4 clusters), will LE care if I use a unique email address for the cert request in each cluster?

From https://letsencrypt.org/docs/rate-limits/, I did not 4-requests-a-day rule. But I see Duplicate Certificate limit of 5 certificates per week.

Could the renewal fail if Voyager is trying to do DNS validation to renew the cert in both clusters at the same time?

No, I think. Each valiudation process should get its own CNAME that will be added to Rpoute53. So, it should succeed independenctly. I have also seen that LE cache domain validations. See the last FAQ: https://letsencrypt.org/docs/faq/

Once you successfully complete the challenges for a domain, the resulting authorization is cached for your account to use again later. Cached authorizations last for 30 days from the time of validation. If the certificate you requested has all of the necessary authorizations cached then validation will not happen again until the relevant cached authorizations expire.

Is so, is there any way to control the renewal timing?
No, at this time. Voyager will try to reissue certificates when 7 days left before expiration. We can start the process 15 days from expirtion to get 2 cycles.

Have you looked into using cluster federation. Using Federated secrets you can avoid issuing certs in each cluster.
https://kubernetes.io/docs/tasks/administer-federation/secret/

@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented Feb 6, 2018

We recommend using kubed for syncing secrets across clusters. https://appscode.com/products/kubed/0.5.0/guides/config-syncer/inter-cluster/

@tamalsaha tamalsaha closed this Feb 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.