openshift-acme is ACME Controller for OpenShift and Kubernetes clusters. It will automatically provision certficates using ACME protocol and manage their lifecycle (like automatic renewals).
Enabling ACME certificates for your object
Once openshift-acme controller is running on your cluster all you have to do is annotate your Route or other supported object like this:
metadata: annotations: kubernetes.io/tls-acme: "true"
We have created some deployments to get you started in just a few seconds. (But feel free to create one that suits your needs.)
Let's encrypt provides two APIs: live and staging. There is also an option to deploy the controller to watch the whole cluster or only single namespace depending on what privileges you have.
Warning: Whenever you need to switch between those two environments you need to delete the Secret
acme-account created on your behalf in the same namespace as you've deployed the controller. (Those environments are totally separate making your account invalid when used with the other one.)
staging is meant for testing the controller or making sure you can try it out without the fear or exhausing your rate limits while trying it out and it will provide you with certificates signed by Let's Encrypt testing CA making the certs not trusted!
live will provide you with trusted certificates but has lower rate limits. This is what you want when you're done testing/evaluating the controller
openshift-acme just went through a complete rewrite to become a fully fledged controller using all the fancy stuff like shared informers and work queue to make it more reliable.
OpenShift Routes are fully supported.
Also in near future for every route that has certificate provisioned by openshift-acme, the controller will create a Secret containing the certificate to allow you to mount it into pods and enable SSL in the passthrough mode. This will be especially useful for not HTTP based protocols.
- Advanced rate limiting
- Creating associated Secrets for Routes containing the certificate
- Ingress (and Kubernetes) support