How to keep Nodebalancer certificate up-to-date
I am using a Linode NodeBalancer created via Ingress Nginx. To receive a real Client IP I am considering switching from TCP to HTTPS protocol, which requires SSL Certificate and Private Key. As far as I understand it should be issued by public authority, like Let's Encrypt. At the same time, such certificates typically are issued for 3 months. Is there any easy way to auto-renew certificates in NodeBalancer configuration? Ideally Terraform-based solution.
Note. Please do not offer TCP and proxy protocol, it does not work with Kubernetes internal communication properly.
1 Reply
CassandraD
Linode Staff
You should be able to use cert-manager–which uses CustomResourceDefinitions to configure and request certificates–to set this up. We have a guide to help with that:
Based on this part here, this sounds like it could have everything you need:
This guide will use an example Kubernetes Deployment and Service to demonstrate how to route external traffic to a Kubernetes application over HTTPS. This is accomplished using the NGINX Ingress Controller, cert-manager and Linode NodeBalancers.
As I understand it, cert-manager can be configured in a variety of ways, and I'm not sure if there is a default behavior for auto-renewal, but you should be able to set the renewBefore: value in the yaml to what you need. This isn't something I've done before so you may need to play around a bit to get everything working. You can read more about renewal triggers in their documentation:
I'm not sure if this helps, but I found a Terraform Module for cert-manager.
I hope something here gets you moving in the right direction.