
Simplify Lets Encrypt Certificates Management for Kubernetes - dlsniper
https://github.com/PalmStoneGames/kube-cert-manager
======
zalmoxes
I've been using this project on GKE for ~2 weeks now in combination with the
nginx ingress controller. I have it configured to use the DNS challenge to get
new certs so I don't have to expose an extra port as well.

It feels liberating to just get an SSL cert for any subdomain I need and have
the whole process abstracted from me.

~~~
psg-luna
Sicne a few days ago, ingress objects are now supported directly with the
correct annotations. See [https://github.com/PalmStoneGames/kube-cert-
manager/blob/mas...](https://github.com/PalmStoneGames/kube-cert-
manager/blob/master/docs/ingress.md)

------
colemickens
I thought I wanted this for a long time, but `kube-lego` gets me very similar
results... without needing to inject credentials for my DNS provider to my
cluster.

I'm curious if others have thoughts on this vs kube-lego. (I would agree that
I like the approach of this project quite a bit more than kelseyhightower's.
This feels more complete, works with far more providers, etc)

~~~
psg-luna
You can use http challenges with kcm as well. Which is what ensures you don't
need to inject dns credentials.

~~~
colemickens
Whoa! This is really great! Thank you for this (and to think I was excited to
see the Caddy secret backend, this is way better IMO)!

edit: Oh my, and I can use this for the HTTP challenge and still use it with
other Ingress controllers. I'd love to buy you a beer/rootbeer or something,
I'm so tickled to have this!

~~~
psg-luna
If you're ever in stockholm, prod me on twitter and we can have a rootbeer :)

------
endymi0n
Big kudos to Luna for fusing both of these awesome projects - this was
actually on our backlog too and helped a lot!

------
coleca
Found this similar project a couple days ago:
[https://github.com/tazjin/kubernetes-
letsencrypt](https://github.com/tazjin/kubernetes-letsencrypt)

Doesn't seem quite as configurable but looks a bit simpler to implement.

~~~
tazjin
Please file an issue if you're missing some configuration option! I explicitly
don't intend to support other challenge mechanisms than DNS though.

------
brudgers
I'm curious what advantages and tradeoffs it has over the project that it is
based upon [1] for a person choosing between them.

[1]: [https://github.com/kelseyhightower/kube-cert-
manager](https://github.com/kelseyhightower/kube-cert-manager)

~~~
psg-luna
Largely, [https://github.com/kelseyhightower/kube-cert-
manager](https://github.com/kelseyhightower/kube-cert-manager) is incomplete

* it does not support subdomains (only root domains)

* it only supports googlecloud as dns provider

* Bugs and PRs remain unanswered/unmerged

Meanwhile the linked project supports http, SNI and DNS challenges, with
around 20 or so DNS providers available. It also supports managing certs for
ingress objects directly.

~~~
thockingoog
Does it support multiple SANs on a single cert? I want to streamline things
like vanity domain redirections, where every domain I add requires me to
refresh the cert.

~~~
psg-luna
Unfortunately, not currently, no :< It's trivial to get seperate certs, but
getting them all on a single cert is not in yet.

------
Motomorgen
What are the major difference between this and say kube-lego that might entice
someone to switch?

~~~
psg-luna
You can manage individual certs with cert objects that aren't used by
ingresses.

~~~
Motomorgen
Very cool, thank you!

