Hi all, I finally have some news to share.
I've got the code working and polished. It now resides in the master branch and there is CI testing the code and pushing images to Docker Hub. For those who knew the previous name the project is now called "openshift-acme". It is an OpenShift/Kubernetes controller written in Go doing certificate management using ACME protocol. (Let's Encrypt is one of the ACME providers.) It aims to be production (scale) ready, but right now it's in pre-alpha stage. That said I would appreciate your feedback early on so please go there [1] and try it out. I will appreciate your feedback and as always PRs are welcome! You can find out more on GitHub: https://github.com/tnozicka/openshift-acme Few caveats at the end: - at this point the controller supports only OpenShift Routes (It is designed with Ingress and Secrets in mind, it just needs a bit of plumbing which I didn't have time to write yet. There is a section of design doc describing it [2]) - it doesn't do dns-01 challenges yet - it's using k8s/client-go with custom serialization for OpenShift Routes but I will get rid of it once OpenShift has their client-go ready - probably some more... Regards, Tomas [1] - https://github.com/tnozicka/openshift-acme#deploy [2] - https://github.com/tnozicka/openshift-acme/blob/master/docs/desig n/architecture.adoc#supported-objects On Mon, 2016-11-28 at 14:15 +0100, Tomas Nozicka wrote: > Thanks you all for the feedback and to Rajat for the offer to help. > > I've looked into it and I like two of them as a basis for my > controller > implementation; kube-lego[11] and kube-cert-manager[10]. Mostly > because > they seem to be closest to a proper solution. Both of them are > missing > some part of functionality that the other one has. Like kube-cert- > manager doesn't work with ingress, but creates certificate objects > that > can be mounted to the pods as secrets and supports dns-01 challenge. > But both don't support OpenShift Routes. > > I definitely want this new project to be production ready and to have > a > native support for OpenShift as well as Kubernetes. > > I will work on a proposal for those interested to vet, but in the > meantime here are some important features for the design I have in > mind: > > - Native support for OpenShift Routes > > - Support for Ingress > > - Generating certificate objects or secrets mountable into pods > There are multiple termination policies and if you are not > terminating SSL on the router you need to mount certificates to pods. > Also for non HTTP(S) protocols. > > - dns-01 challenge (for generating certificates in case of not using > HTTP(S) protocol or being behind firewall, VPN) > > - Automated certificate renewal > > > Regards, > Tomas > > > [10] - https://github.com/kelseyhightower/kube-cert-manager > [11] - https://github.com/jetstack/kube-lego > > On Thu, 2016-11-24 at 14:35 +0100, Tomas Nozicka wrote: > > I've been thinking for a long time about some kind of support for > > Let's > > Encrypt [1] in OpenShift. In the meantime Kelsey Hightower came > > with > > his PoC for Kubernetes [2]. It's a great starting point although it > > will need modifications to work with OpenShift's router. Actually I > > thing that in combination with the router it becomes more powerful, > > because your app does not even need to support https and reading > > certificates if your route is set to edge termination. > > > > The main goal here is to provide OpenShift users with valid > > certificates for free and enable HTTPS for everyone. It will also > > take > > care about certificates renewal. > > > > I believe this could be a great feature for OpenShift. I know I > > definitely want this for my server at home, but I think this could > > even > > work for Online, but let's not get ahead of ourself. It would make > > an > > awesome demo if you could just create a route for your service in > > OpenShift and get HTTPS (with a valid certificate) out of the box; > > or > > after installing the controller. > > > > I would be interested in writing such controller for OpenShift > > based > > on > > Kelsey's work, but I would appreciate some form of guidance from > > someone who knows the router or in general. I'd like to build this > > as > > an OSS with production quality; not just PoC. > > > > And I wanted to check if someone isn't already working on that? > > > > > > Thanks, > > Tomas > > > > [1] - https://letsencrypt.org/ > > [2] - https://github.com/kelseyhightower/kube-cert-manager _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
