diff --git a/README.md b/README.md index c6a6bbd3..a917d3f4 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ ## Requirements - Kubernetes 1.2+ -- Compatible ingress controller (nginx or GCE see [here](#ingress-controllers)) +- Compatible ingress controller (nginx, HAProxy or GCE see [here](#ingress-controllers)) - Non-production use case :laughing: ## Usage @@ -33,6 +33,7 @@ * [GCE](examples/gce/README.md) * [nginx controller](examples/nginx/README.md) +* [HAProxy controller](/examples/haproxy) The default value of `LEGO_URL` is the Let's Encrypt **staging environment**. If you want to get "real" certificates you have to configure their production env. @@ -88,6 +89,11 @@ Please note: - available through image `gcr.io/google_containers/nginx-ingress-controller` - fully supports kube-lego from version 0.8 onwards +### [HAProxy Ingress controller](https://github.com/jcmoraisjr/haproxy-ingress) + +- available through image `quay.io/jcmoraisjr/haproxy-ingress` +- fully supports kube-lego from version 0.3 onwards + ### [GCE Loadbalancers](https://github.com/kubernetes/ingress/tree/master/controllers/gce) - you don't have to maintain the ingress controller yourself, you pay GCE to do that for you @@ -104,10 +110,12 @@ Please note: | `LEGO_URL` | n | `https://acme-staging.api.letsencrypt.org/directory` | URL for the ACME server. To get "real" certificates set to the production API of Let's Encrypt: `https://acme-v01.api.letsencrypt.org/directory` | | `LEGO_SECRET_NAME` | n | `kube-lego-account` | Name of the secret in the same namespace that contains ACME account secret | | `LEGO_SERVICE_NAME_NGINX` | n | `kube-lego-nginx` | Service name for NGINX ingress | +| `LEGO_SERVICE_NAME_HAPROXY` | n | `kube-lego-haproxy` | Service name for HAProxy ingress | | `LEGO_SERVICE_NAME_GCE` | n | `kube-lego-gce` | Service name for GCE ingress | -| `LEGO_SUPPORTED_INGRESS_CLASS` | n | `nginx,gce` | Specify the supported ingress class | -| `LEGO_SUPPORTED_INGRESS_PROVIDER` | n | `nginx,gce` | Specify the supported ingress provider | +| `LEGO_SUPPORTED_INGRESS_CLASS` | n | `nginx,haproxy,gce` | Specify the supported ingress class | +| `LEGO_SUPPORTED_INGRESS_PROVIDER` | n | `nginx,haproxy,gce` | Specify the supported ingress provider | | `LEGO_INGRESS_NAME_NGINX` | n | `kube-lego-nginx` | Ingress name which contains the routing for HTTP verification for nginx ingress | +| `LEGO_INGRESS_NAME_HAPROXY` | n | `kube-lego-haproxy` | Ingress name which contains the routing for HTTP verification for HAProxy ingress | | `LEGO_PORT` | n | `8080` | Port where this daemon is listening for verifcation calls (HTTP method)| | `LEGO_CHECK_INTERVAL` | n | `8h` | Interval for periodically certificate checks (to find expired certs)| | `LEGO_MINIMUM_VALIDITY` | n | `720h` (30 days) | Request a renewal when the remaining certificate validity falls below that value| @@ -121,6 +129,7 @@ Please note: ## Full deployment examples - [Nginx Ingress Controller](examples/nginx/) +- [HAProxy Ingress controller](/examples/haproxy) - [GCE Load Balancers](examples/gce/) ## Troubleshooting diff --git a/examples/haproxy/README.md b/examples/haproxy/README.md new file mode 100644 index 00000000..65ea2070 --- /dev/null +++ b/examples/haproxy/README.md @@ -0,0 +1,36 @@ +# kube-lego example + +This document demonstrates how to deploy kube-lego to the +[HAProxy Ingress](https://github.com/jcmoraisjr/haproxy-ingress) controller. + +## Deploy the Ingress controller + +Follow the [deployment instructions](https://github.com/kubernetes/ingress/tree/master/examples/deployment/haproxy) +including the deployment of the optional web app for testing. + +## Deploy kube-lego + +The following instruction will create the kube-lego deployment on it's own namespace. +Be aware that kube-lego creates it's related service on its own. + +* Change `LEGO_EMAIL` to your email address +* Uncomment `LEGO_URL` to use the production API + +```console +kubectl create ns kube-lego +kubectl create -f deployment.yaml +``` + +## Enable kube-lego in the testing application + +This will add a TLS secret name and tls-acme annotation to the ingress resource created +in the deployment instruction. + +* Change both `echo.example.com` to the public domain of your Ingress controller + +```console +kubectl replace -f app-ingress.yaml +``` + +The `app-tls` secret and the https url should be updated. Check the log output of +HAProxy Ingress and kube-lego pods if this doesn't happen. diff --git a/examples/haproxy/app-ingress.yaml b/examples/haproxy/app-ingress.yaml new file mode 100644 index 00000000..549dde37 --- /dev/null +++ b/examples/haproxy/app-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "haproxy" +spec: + tls: + - hosts: + - echo.example.com + secretName: app-tls + rules: + - host: echo.example.com + http: + paths: + - path: / + backend: + serviceName: http-svc + servicePort: 8080 diff --git a/examples/haproxy/lego-deployment.yaml b/examples/haproxy/lego-deployment.yaml new file mode 100644 index 00000000..b1f6a90d --- /dev/null +++ b/examples/haproxy/lego-deployment.yaml @@ -0,0 +1,45 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-lego + namespace: kube-lego +spec: + selector: + matchLabels: + app: kube-lego + template: + metadata: + labels: + app: kube-lego + spec: + containers: + - name: kube-lego + ## HAProxy support isn't on the stable release yet! + image: jetstack/kube-lego:canary + imagePullPolicy: Always + ports: + - containerPort: 8080 + env: + ## Use HAProxy Ingress + - name: LEGO_DEFAULT_INGRESS_CLASS + value: haproxy + ## Specify your email address + - name: LEGO_EMAIL + value: you@example.com + ## Uncomment LEGO_URL to use the production API - default is to use staging + # - name: LEGO_URL + # value: https://acme-v01.api.letsencrypt.org/directory + - name: LEGO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LEGO_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 1