Question

LoadBalancers, Kubernetes and LetsEncrypt Wildcards

Posted November 5, 2018 3.3k views
Load Balancing Let's Encrypt Kubernetes

Hey all,

Does anyone know of a timeline for DO to implement issuing wildcard SSL certificates on LoadBalancers e.g. *.example.com

Running a Kubernetes cluster with Nginx ingress on DO would be perfect if we could issue a wildcard certificate on the load balancers so routes like my-app-staging.example.com and my-app.example.com have valid SSL certificates.

Thanks,

Aaron

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

6 answers

I’d like to also request this. Using ingress-nginx or Traefik certainly works with Let’s Encrypt on DO k8s, but terminating TLS within the cluster adds a solid ~50ms of latency. Terminating TLS at the load balancer results in a 50ms performance improvement.

Why isn’t this implemented yet ?!

Hi

I am playing with cert-manager and Hashicorp vault on another project and thought I would try it for fun on digital ocean against let’s encrypt.

Here is a very plain ingress-nginx setup with default config, I just added the loadbalancer.yaml which creates a digital ocean loadbalancer and points to my ingress-nginx:
https://github.com/haugom/do-ingress-nginx

Next I added a DNS A record of *.my.domain and point it to the DO loadbalancer.
Next I added cert-manager and a let’s encrypt issuer:
https://github.com/haugom/do-cert-manager

Now I can submit certificate request and ingress-rule and serve let’s encrypt certificates with ingress-nginx behind the load balancer.

Actually i created a setup Traefik. See my blog post here

You can set a wildcard domain in the config of traefik

I wonder why there’s no more support for this. Naturally, this can be achieved by doing TLS on the cluster, but that means it’s just yet something else to worry about and manage.

You could try using traefik meanwhile.

Submit an Answer