Using ACME HTTP validation with LoadBalancer services

[Gert van den Berg]

Hi,

It seems like ACME HTTP validation needs an ingress.

Currently, we are looking to move some RabbitMQ instances that are currently running on VMs to Kubernetes.

On the VM, we use certbot with the --standalone option for certificate management currently. (RabbitMQ does not listen on port 80)

Some way to do something similar with LoadBalancer services that does not use port 80 would be useful. (Currently I have a LoadBalancer service and a Certificate resource)

Is there a Kubernetes limitation that requires all ports in a service to point to the same set of pods that prevents this?

If not, it would be useful if cert-manager could reconfigure the LB for validation (if port 80) is unused and possibly even provide an option to allow temporarily breaking port 80 for validation (if it just redirects to HTTPS and HSTS is configured it is unlikely to affect much and that behaviour can even be emulated)..

(DNS is not practical for us, we are using Cloudflare, which only has full API keys, which I do not want laying around on several clusters) (The HTTP01 validation is also much more self-contained, in that it doesn't not need additional configs / credentials above what is needed for the app to run)

(I just realised that the Certificate resource type would also need some attribute to allow it to find the relevant LoadBalancer service (since the IP that the DNS points to is form there and the listener would need to be on that IP))

(Another option might be to add an additional container to the destination pod to run the challenge-responder, which could work even if the endpoints for all ports in the LB needs to point to the same set of pods)

Thanks,

Gert van den Berg