Proof of concept using kubernetes-certbot on k8s.io redirector

ixdy · Dec 1, 2016 · c89d75d · c89d75d
1 parent 190ee5b
commit c89d75d
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 1 deletion.
diff --git a/k8s.io/Makefile b/k8s.io/Makefile
@@ -3,18 +3,20 @@ all: test
 .PHONY: deploy-fake-secret
 deploy-fake-secret:
 	openssl genrsa -out tls.key 2048
-	openssl req -new -key tls.key -out tls.csr -subj '/CN=k8s.io/O=TEST/C=US'
+	openssl req -new -key tls.key -sha256 -out tls.csr -subj '/CN=k8s.io/O=TEST/C=US'
 	openssl x509 -req -days 10000 -in tls.csr -signkey tls.key -out tls.crt
 	kubectl get secret/ssl || kubectl create secret generic ssl --from-file=tls.key=tls.key --from-file=tls.crt=tls.crt
 
 .PHONY: deploy
 deploy:
 	kubectl get secret/ssl || kubectl apply -f secret-ssl.yaml
+	kubectl apply -f configmap-certbot.yaml
 	kubectl apply -f configmap-nginx.yaml
 	kubectl apply -f configmap-www-get.yaml
 	kubectl apply -f configmap-www-golang.yaml
 	kubectl apply -f service-dev.yaml
 	kubectl apply -f deployment.yaml
+	kubectl apply -f deployment-certbot.yaml
 
 .PHONY: test
 test:

diff --git a/k8s.io/configmap-certbot.yaml b/k8s.io/configmap-certbot.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: letsencrypt-ssl-certificates
+data:
+  ssl-certifcates.properties: |
+    ssl=k8s.io,kubernetes.io,get.k8s.io,get.kubernetes.io
diff --git a/k8s.io/configmap-nginx.yaml b/k8s.io/configmap-nginx.yaml
@@ -23,6 +23,10 @@ data:
         listen 80;
         listen 443 ssl;
 
+        location /.well-known/acme-challenge/ {
+          proxy_pass http://kubernetes-certbot;
+        }
+
         if ($arg_go-get = "1") {
           # This is a go-get operation.
           # Send any file in any repo to static content.
@@ -136,10 +140,15 @@ data:
         listen 80;
         # 443 is covered below.
 
+        location /.well-known/acme-challenge/ {
+          proxy_pass http://kubernetes-certbot;
+        }
+
         location / {
           root /www/get;
           index get-kube-insecure.sh;
         }
+
       }
       server {
         server_name get.k8s.io get.kubernetes.io;

diff --git a/k8s.io/deployment-certbot.yaml b/k8s.io/deployment-certbot.yaml
@@ -0,0 +1,40 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kubernetes-certbot
+  labels:
+    app: kubernetes-certbot
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: kubernetes-certbot
+    spec:
+      containers:
+        - name: certbot
+          image: gcr.io/jgrafton-kubernetes-test-1385/kubernetes-certbot
+          imagePullPolicy: Always
+          env:
+            - name: SECRET_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LETS_ENCRYPT_EMAIL
+              # TODO: Provide an email for let's encrypt.
+              value: jgrafton@google.com
+            - name: STAGING
+              value: "staging"
+          volumeMounts:
+            - mountPath: /etc/letsencrypt
+              name: letsencrypt-data
+            - mountPath: /etc/letsencrypt-certs
+              name: letsencrypt-certs-config
+      volumes:
+        - name: letsencrypt-data
+          # TODO: Consider using real, secure storage on your cluster.
+          emptyDir: {}
+        - name: letsencrypt-certs-config
+          configMap:
+            name: letsencrypt-ssl-certificates
+