Cert-manager: Support for OpenShift `route` object
Feature request: Support for the route object of OpenShift.
Historically OpenShift makes use of an object call v1.Route to expose services via a router / loadbalancer. There is support for the ingress object, but route is still the native object used by many applications running on OpenShift. Getting support in cert-manager for this object would be great. There is already a similar tool available for OpenShift call openshift-acme, but it's not actively maintained and lacks a community, which cert-manager definitively has.
Describe the solution you'd like
Support for route object of OpenShift, in addition to the ingress object.
Describe alternatives you've considered
openshift-acme could be an alternative, but it's not that well maintained like this project.
/kind feature
tobru
All 16 comments
As discussed in https://github.com/openshift/origin/issues/2162 support for accessing TLS certificate and key in secrets will most probably never be supported for OpenShift routes.
tobru
on 9 Jan 2019
I'm definitely keen to improve how we integrate with Openshift, however I've not used it much myself.
It'd be great if you could expand out what you'd define as 'support' for routes in cert-manager so we can get a better understanding of what you'd expect.
We also need to come up with a solution for automated testing against Openshift before we can accept features like this IMO, else Openshift will always be a second class citizen.
We're also going to be 'opening up' cert-manager with a lot more plugin points in future with some API refactors, we should hopefully make this sort of thing a lot more feasible 馃槃
munnerz
on 7 Feb 2019
It'd be great if you could expand out what you'd define as 'support' for routes in cert-manager so we can get a better understanding of what you'd expect.
The OpenShift Route object in route.openshift.io/v1 has the following fields for managing TLS:
spec.tls.termination: If the value isedge, TLS get's terminated at the edge, meaning the loadbalancer managed by the OpenShift ingress controller.spec.tls.key,spec.tls.certificate,spec.tls.caCertificate: Contains the certificate data in PEM format (_not_ a reference to a secret but the data!)
For a detailed documentation about the Route object please consult the upstream documentation:
- Overview: Developer Guide -> Routes
- More details: Architecture -> Networking -> Routes (especially "Route Types").
From cert-manager I would expect that the TLS fields get managed by it. That means that cert-manager observes the Route object and if a route f.e. has the annotation kubernetes.io/tls-acme: "true" it requests a certificate from an ACME endpoint, creates a temporary Route object for HTTP verification and updates the object with the received certificate, key and if needed CA certificate.
This description of course is just a suggestion, I'm sure there are a lot of details to work out, but as cert-manager has all the building blocks available it would be great to have this additional object supported.
@munnerz Does this help or do you need more information? I'm happy to assist in designing support for the OpenShift Route object.
tobru
on 19 Mar 2019
Hey, is this a thing yet?
caruccio
on 26 Apr 2019
@munnerz I have developed this capability in this operator: cert-utils-operator.
The idea was to use cert-utils together with cert-manager, but perhaps it would not be to difficult to just move the route controller I have developed to cert-manager.
raffaelespazzoli
on 25 Jul 2019
Would you be able to join the next community call to discuss this? The next one is on the 23rd of October (we run them bi-weekly).
munnerz
on 16 Oct 2019
@munnerz I should be able to, can you where can I find the meeting's logistics?
raffaelespazzoli
on 16 Oct 2019
If you join the Google Group, you'll automatically receive a Google Calendar invite to the meeting.
You can also find meeting notes here: https://docs.google.com/document/d/1Tc5t6ylY9dhXAan1OjOoldeaoys1Yh4Ir710ATfBa5U/edit#
munnerz
on 16 Oct 2019
@munnerz I won't be able to make the meeting this Wednesday because I'll be on a flight. Any other way we can connect?
raffaelespazzoli
on 17 Oct 2019
Is there a need for help on this issue?
AdlerFleurant
on 25 Nov 2019
@AdlerFleurant yes I think I'm going to need some help. I was hoping to meet some of you guys at kubecon. Anyway I need some help registering the controllers. That piece is quite different than in your code than with the operator-sdk. I will start a PR so we can work on it.
raffaelespazzoli
on 25 Nov 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
retest-bot
on 23 Feb 2020
/remove-lifecycle stale
seandilda
on 24 Feb 2020
Openshift support creation of ingress resources, You can use to generate your certificates
amon-ra
on 14 Apr 2020
Ingress resources and routes do not have the same functionality.
AdlerFleurant
on 14 Apr 2020
@AdlerFleurant I am about to submit a PR on this that uses the cert-manager style of controllers. I am finishing one more piece that checks to make sure the route resources are defined on the cluster before starting the controller. So if you are not running on openshift the controller is disabled
mathianasj
on 24 Apr 2020
Related issues
munnerz
路
4Comments
jbeda
路
4Comments
Stono
路
3Comments
jonathan-kosgei
路
4Comments
munjal-patel
路
3Comments
Most helpful comment
@AdlerFleurant I am about to submit a PR on this that uses the cert-manager style of controllers. I am finishing one more piece that checks to make sure the route resources are defined on the cluster before starting the controller. So if you are not running on openshift the controller is disabled