-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use default cert-manager annotations to manage certificates #12
Comments
I'm pretty sure that we are already using ingress shim. I know that because I'm not creating any Certificate objects in the controller anymore? |
I prefer the TLS being in the Spec, this is to abstract away the gritty details from users |
I proposed this because I think that the way it works today has some drawbacks:
For me, having this YAML: apiVersion: openfaas.com/v1alpha2
kind: FunctionIngress
metadata:
name: nodeinfo
namespace: openfaas
annotations:
certmanager.k8s.io/issuer: "letsencrypt-staging"
spec:
domain: "nodeinfo.deployeveryday.com"
function: "nodeinfo"
ingressType: "nginx" Looks better than this: apiVersion: openfaas.com/v1alpha2
kind: FunctionIngress
metadata:
name: nodeinfo
namespace: openfaas
spec:
domain: "nodeinfo.deployeveryday.com"
function: "nodeinfo"
ingressType: "nginx"
tls:
enabled: true
issuerRef:
name: "letsencrypt-staging"
kind: "Issuer"
All of this is my personal taste... What would be nice is get some more users involved in this discussion and see what they think about 🤔 What do you think about this? Cheers 🚀 |
Agree with @jonatasbaldin , I use a wildcard certificate for my ingresses, and it seems that is not directly supported by this operator. I might be wrong though, or not the target audience for this operator? Is it recommended to create my own (non-Function) ingress resources for my use-case? |
@makkus as you noted, support for the HTTP01 challenge is already available, if you need the DNS01 challenge then feel free to open an issue to propose it. |
@alexellis thanks. I don't really need the DNS01 challenge, as I'm re-using the same wild-card certificate for every one of my ingresses. It kinda works for me at the moment, because I configured nginx-ingress to use the wild-card cert secret as the default. I can't access my logs at the moment, but if I remember right then it tries to get the secret that this operator should have configured, but couldn't, and then falls back to the default certificate. I guess I'd just prefer if I could configure this Ingress more or less the same way as a 'normal' one, except that I only need to specify the function name instead of the service details as usual. But at the end of the day it's not a big problem, I can always create the ingress manual, and not use this operator. Haven't tried it yet, but I don't assume this does anything super-special, right? |
@makkus what would it look like if we implemented what you needed? I need a bit more info from you please, because I don't seem to be seeing the full picture. Thanks 👍 |
Sure, I hope I remember the details right, the setup I used 2 weeks ago is gone and I'll re-build it again next week or so... Basically, (the tls-specific parts of) my 'normal' ingresses look like this:
This is an internal network that can't be reached from the internet, but because I'm using the dns challenge and the dns server pointing to the internal address I'm still getting a valid LetsEncrypt certificate for this service.
As I mentioned before, this kind of works with a 'FunctionIngress' like this one (note that I don't have a 'issuerRef' key at all):
But only because nginx is configured to use my wildcard cert as default. So I had to use the same subdomain (.intern.example.com) for my functions, another one like '.func.intern.example.com) didn't work, because the wildcard certificate wasn't issued for that. In the end, as I mentioned, I might just not be a good target audience for the FunctionIngress and it's probably not worth changing anything. I'm happy enough to just write my own Ingress resources for my functions if the 'default-wildcard-cert' thing I have at the moment doesn't work for some future use-case. But, of course, I'd still prefer if I didn't have to :-) |
I agree that the annotations look simpler and more compliant. I can also understand @alexellis point of view, though as a personal preference I would rather add a one line annotation than the custom tls section. Maybe a compromise would be to allow both? :) |
As far as I'm aware both are permissable. What happened when you tried? |
Without the TLS section, the certificate isn't created. |
Expected Behaviour
Instead of using the custom
spec.tls.*
definition to generate certificates we can use the default cert-manager annotations (certmanager.k8s.io/issuer
orcertmanager.k8s.io/cluster-issuer
), since #7 was implemented.Current Behaviour
We need to use a custom
spec.tls.*
definition to enable the certificate creation.Even though we are copying all the annotations to the Ingress, the current implementation of the controller doesn't support the default
cert-manager
ones.Possible Solution
Remove the special case for TLS annotations inside makeAnnotations and change the makeTLS functions to look into the annotations instead of
function.Spec.UseTLS()
.I didn't try these changes, just an idea by taking a quick look into the code. It may be more complicated than that.
Context
Using the same
Ingress
behaviour to create TLS certificates in theFunctionIngress
would require a lower learning curve, less docs and make configurations more standard across the cluster.The text was updated successfully, but these errors were encountered: