Cert-manager: [FEATURE] Reconfigure certificates when ingress cert-shim gets updated
Is this a BUG REPORT or FEATURE REQUEST?:
Uncomment only one, leave it on its own line:
/kind bug
/kind feature
What happened:
I have a Cluster Issuer and using DNS01 with Cloudflare and an ingress using the cert-shim with annotations.
I create an ingress and it works as expected.
Then I update the ingress with a new hostname to fetch the certificate from.
What you expected to happen:
As a user I would like the certificates to get updated whenever the ingress from where it has been created, gets updated. At the moment this just creates a certificate for the first time and needs the user to update the certificate configuration to match the ingress.
I think that using annotations helps to avoid deduplicated configuration such as the host and domain configuration that is found in the Ingresses, and at the moment we end having to maintain configuration in Certificates and in the Ingreses.
How to reproduce it (as minimally and precisely as possible):
- Create a ClusterIssuer, and generate a certificate using cert-shim and an Ingress.
- Update the Ingress to a new configuration and you will see that the Certificate won't update
Anything else we need to know?:
I know that this has already been noted down in the documentation, but I haven't found any issue or follow up on when or if it will be implemented.
Environment:
- Kubernetes version (use
kubectl version): 1.8.3 - Cloud provider or hardware configuration**: aws, cloudflare and kops
- Install tools: Helm/tiller
- Others:
Sturgelose
All 5 comments
Yeah I agree this is a problem. Two best workarounds right now would be:
- Create your own Certificate resources rather than annotating the Ingress, or
- Delete the Certificate resource after updating the Ingress, allowing
ingress-shimto recreate it
whereisaaron
on 31 Jan 2018
At the moment what I'm doing is delete and recreate the ingress when updating it.
This way I do not touch two different resources (Certificate and Ingress) and in case the ingress hostnames do not change, cert-manager is intelligent enough to not to try to request the same certificate again. Not sure if it's the best workaround but at least from the command line point of view is quite fast.
BTW, I don't have much time and haven't played with cert-manager as a developer a lot, but if I would be willing to help a bit with the development of this feature if needed.
Sturgelose
on 1 Feb 2018
I'm going to tackle this over the next couple of weeks. ingress-shim itself was a quick PoC implementation, so there are a number of things (such as this) to deal with.
Thanks for opening a ticket to track!
munnerz
on 5 Feb 2018
@munnerz Great to hear and thanks for jumping on this. Happy to help in any way as well. As an aside, does the quick PoC implementation for ingress-shim imply that it isn't suited for production use?
jasonjho
on 16 Feb 2018
Hi @jasonjho neither kube-lego, nor cert-manager, nor nginx-ingress have made 1.x releases, so none are claiming to be 'production ready' 馃槃
whereisaaron
on 16 Feb 2018
Related issues
munjal-patel
路
3Comments
gaieges
路
3Comments
jbeda
路
4Comments
jakubknejzlik
路
3Comments
jonathan-kosgei
路
4Comments
Most helpful comment
I'm going to tackle this over the next couple of weeks. ingress-shim itself was a quick PoC implementation, so there are a number of things (such as this) to deal with.
Thanks for opening a ticket to track!