kube-lego icon indicating copy to clipboard operation
kube-lego copied to clipboard

Published 20 hours ago verified publisher icon jetstack

Early fail if LEGO_EMAIL is not overridden from the default value

Open pgporada opened this issue 7 years ago • 3 comments

If LEGO_EMAIL is not overridden by a user from the default value of [email protected], there should be an early fail message to the user before even reaching out to Let's Encrypt. A valid email address allows the a Let's Encrypt subscriber to receive certificate expiry notifications which are crucial to the proper operation of an encrypted web :+1: . The default of [email protected] won't allow send the subscriber that email, hence the early fail message. Even in a subscribers staging environment, the expiry notification email is useful to experience and be aware of :+1: .

For more details on that, please see https://letsencrypt.org/docs/expiration-emails/

Significantly, [email protected] is the default value set in the kubernetes/charts repository located at https://github.com/kubernetes/charts/blob/master/stable/kube-lego/values.yaml.

pgporada avatar Mar 28 '17 23:03 pgporada

Unless I'm missing something: LEGO_EMAIL is a required field, and kube-lego fails if it is not set (https://github.com/jetstack/kube-lego/blob/master/pkg/kubelego/kubelego.go#L224). It looks to me like the problem is in the helm chart itself, which provides a completely bogus value as a default (if it wanted to provide a default, then it should use an example.com domain, at least!). If the chart were not to provide any value, you'd get the behavior you're looking for: early failure.

ankon avatar Mar 31 '17 11:03 ankon

Yep, this is an issue with the Helm chart itself.

Now that Helm 2.3 is released, there is a new required keyword that we can use.

I've put in a PR here: https://github.com/kubernetes/charts/pull/912

munnerz avatar Apr 11 '17 12:04 munnerz

Quick question, if you initially deployed Kube-Lego and even received a few certificates for production sites with the default e-mail, can you update the address to your correct e-mail and then delete and redeploy the ConfigMap and Deployment?

Do you believe future renewals and certificate requests would continue without errors with the corrected e-mail?

Obviously I just realised I did this :sweat_smile: and now I'm coming here for consolation from hopefully finding out that my mistake wasn't fatal.

chepurko avatar May 04 '17 22:05 chepurko