Cert-manager: Add support for Envoy
Is this a BUG REPORT or FEATURE REQUEST?:
FEATURE REQUEST
Uncomment only one, leave it on its own line:
/kind bug
/kind feature
What happened:
Add support for Envoy Proxy that is a alternative to Nginx & HaProxy
What you expected to happen:
Envoy proxy should be able to receive certificates from LetsEncrypt
How to reproduce it (as minimally and precisely as possible):
NA
Anything else we need to know?:
No
Environment:
- Kubernetes version (use
kubectl version): All - Cloud provider or hardware configuration**: Any
- Install tools: NA
- Others: NA
thekalinga
All 9 comments
cert-manager is not tied to any one ingress controller implementation and should already work out the box with Envoy. I'd encourage you to try it yourself and open issues here if you do run into problems. If it does work though, a PR adding a note to the docs for future users that it is confirmed working would be awesome!
munnerz
on 8 Jan 2018
I got it to work
https://github.com/istio/admin-sites/pull/32/files
but it was a bit difficult (mostly because of how to make the http01 challenge pod reachable from the ingress - with/despite istio auth - feedback most welcome if there is a simpler way)
ldemailly
on 12 Jan 2018
I think this comes down to the fact that Istio ingress controller only allows specify that auth should be on/off on a per ingress level, but also has a 1:1 mapping between ingress point and ingress resource.
This means there's no way to configure two routes with a single ingress point, one with auth and one without.
Do correct me if I'm wrong in my understanding of how istio ingress works, I've not used it myself!
munnerz
on 15 Jan 2018
The annotation in the PR above does turn off auth selectively which is why it works.
I鈥檒l work with our security team to have an automatic option as it doesn鈥檛 really makes sense to try mTLS to non injected services
ldemailly
on 16 Jan 2018
ldemailly
on 16 Jan 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
retest-bot
on 5 Jun 2018
@ldemailly would cert-manager with istio-ingress work out of the box if we were to simply set the auth.istio.io/8089: NONE on the Service resources we create? Is there anything else special here?
We could consider adding this annotation whenever we attempt HTTP01 validation to make this experience a lot more seamless if so.
munnerz
on 5 Jun 2018
to avoid https://github.com/istio/admin-sites/blob/master/fortio/stage/cert.yaml#L73-L85
yes that would be all needed on the services you dynamically create
I wonder how to make that generic - allow custom annotations in the certmanager.k8s.io/v1alpha1/Certificate ?
there is also the routing itself (further down in that file) - which just changed in 0.8 and I haven't converted to gateway yet
ldemailly
on 5 Jun 2018
Closing in favour of #231
munnerz
on 6 Jun 2018
Related issues
Azylog
路
3Comments
timblakely
路
4Comments
munnerz
路
4Comments
jonathan-kosgei
路
4Comments
kragniz
路
4Comments
Most helpful comment
cert-manager is not tied to any one ingress controller implementation and should already work out the box with Envoy. I'd encourage you to try it yourself and open issues here if you do run into problems. If it does work though, a PR adding a note to the docs for future users that it is confirmed working would be awesome!