kubernetes-letsencrypt
kubernetes-letsencrypt copied to clipboard
tazjin
A Kubernetes controller to retrieve Let's Encrypt certificates based on service annotations (unmaintained)
We're getting this exception since some time (we're getting ~2k of them a day): ``` in.tazj.k8s.letsencrypt.util.LetsencryptException: No matching zone found. at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.updateCloudDnsRecord(CloudDnsResponder.kt:59) at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.addChallengeRecord(CloudDnsResponder.kt:26) at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.prepareDnsChallenge(CertificateRequestHandler.kt:177) at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.authorizeDomain(CertificateRequestHandler.kt:77) at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.access$authorizeDomain(CertificateRequestHandler.kt:27)...
These are coming in January 2018 and it would be cool to have support right away: https://letsencrypt.org/2017/06/14/acme-v2-api.html Gotta see if the ACME lib will be updated or if this is...
Kubernetes has support for [third-party resources](https://github.com/kubernetes/kubernetes/blob/master/docs/design/extending-api.md). Ideally instead of using service annotations this controller would watch a custom third-party `CertificateRequest` object and create secrets based on that to decouple consuming...
Using kubernetes-letsencrypt v1.7 with Cloud DNS and GKE, we've observed a "too many currently pending authorizations" error. This is surprising, since the limit is 300 pending authorizations, but we only...
When validating updated DNS records the controller currently determines the authoritative nameservers for the zone via the DNS servers configured in the OS. In case of something like a split-brain...
We're starting to hit letsencrypt rate limits for number of subdomains on a registered domain (20 certs a week). This could be mitigated by bundling up each service's domains into...
Allow overriding hosted zone detection in case somebody has a zone set up but nothing delegated to it.
Currently the type of the annotation field is technically something like `Either` with this silly line: `if (requestAnnotation.startsWith("[")) {` I don't remember why I added support for that but it...
As mentioned in https://github.com/tazjin/kubernetes-letsencrypt/commit/4e3bbd6b32bafd2e6e83f44f329792cb87099172 and the comment in the code, Cloud DNS updates sometimes have not fully propagated when they are marked as "DONE" and even when the DNS observer...