Let's Encrypt (kube-lego) support
To simplify SSL, which otherwise can be quite painful, we should support automatically generating Let's Encrypt certificates. A great way to do this is via kube-lego
, which can provision certificates for hostnames with a minimum of configuration. We should be able to leverage the work we did in gitlab-omnibus
, to reduce the effort required.
Do note that kube-lego requires specific RBAC rights or it will fail to start:
github.com/jetstack/kube-lego/pkg/kubelego/watch.go:104: Failed to list *extensions.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope: Unknown user "system:serviceaccount:kube-lego:default"
There is some discussion here around requirements: https://github.com/jetstack/kube-lego/issues/99
Edited by Joshua Lambert