LoadBalancers, Kubernetes and LetsEncrypt Wildcards

November 5, 2018 2.1k views
Kubernetes Load Balancing Let's Encrypt

Hey all,

Does anyone know of a timeline for DO to implement issuing wildcard SSL certificates on LoadBalancers e.g. *.example.com

Running a Kubernetes cluster with Nginx ingress on DO would be perfect if we could issue a wildcard certificate on the load balancers so routes like my-app-staging.example.com and my-app.example.com have valid SSL certificates.



4 Answers

You could try using traefik meanwhile.


I am playing with cert-manager and Hashicorp vault on another project and thought I would try it for fun on digital ocean against let's encrypt.

Here is a very plain ingress-nginx setup with default config, I just added the loadbalancer.yaml which creates a digital ocean loadbalancer and points to my ingress-nginx:

Next I added a DNS A record of *.my.domain and point it to the DO loadbalancer.
Next I added cert-manager and a let's encrypt issuer:

Now I can submit certificate request and ingress-rule and serve let's encrypt certificates with ingress-nginx behind the load balancer.

Actually i created a setup Traefik. See my blog post here

You can set a wildcard domain in the config of traefik

I'd like to also request this. Using ingress-nginx or Traefik certainly works with Let's Encrypt on DO k8s, but terminating TLS within the cluster adds a solid ~50ms of latency. Terminating TLS at the load balancer results in a 50ms performance improvement.

Have another answer? Share your knowledge.