Cert-manager: ECDSA-certificates through ingress-shim?

Created on 30 Mar 2020  路  10Comments  路  Source: jetstack/cert-manager

Hi,
We are relying heavily on the use of ingress annotations to generate our Certificate objects.
This works perfectly except for the fact that we now are looking into upgrading to ECDSA as Key Algorith, ironically due to better backwards compatibility with Windows Server.

Our initial tests with a Certificate resource works promising, but I would really like to see this automatically created. Is it possible to set the default keyAlgorithm on the ClusterIssuer or the Ingress-annotations?

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: ecdsa-test
  namespace: sre-test
spec:
  dnsNames:
  - ecdsa-test.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io
  secretName: ecdsa-test
  keyAlgorithm: ecdsa

Input would be highly appreciated!

areingress-shim good first issue help wanted kinfeature prioritbacklog
Source
picture vidarw
👍4

Most helpful comment

@devopstales I would never remove ECDSA from a product :wink: (unless it is the year 2040 and it is deemed insecure)
We just moved it to a new home: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey 

apiVersion: cert-manager.io/v1a
kind: Certificate
metadata:
  name: ecdsa-test
  namespace: sre-test
spec:
  dnsNames:
  - ecdsa-test.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io
  secretName: ecdsa-test
  privateKey:
      algorithm: ecdsa
picture meyskens on 18 Sep 2020
🚀11 🎉1 👍1

All 10 comments

Currently the ingress-shim doesn't support that.
I would suggest generating a Certificate resource with the same secret name as used in the Ingress and not using the annotations. That way cert-manager will still provide your ingress with the cert but allow more complex certificate options to be set.

meyskens picture meyskens on 13 Apr 2020

Is this a feature we can expect in the future?

Starbix picture Starbix on 19 Apr 2020

+1

Zetanova picture Zetanova on 23 Apr 2020

There's a feature request tracking support for adding a CertificatePreset resource which I think would resolve this too: https://github.com/jetstack/cert-manager/issues/2239

Whilst we _can_ add more annotations, this becomes more complex over time as we add more and more things, but that said in this instance it isn't too complex... I think we could add this as an option here if you think it's valuable in the short term.

/priority backlog
/good-first-issue
/area ingress-shim

munnerz picture munnerz on 24 Apr 2020

@munnerz:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

There's a feature request tracking support for adding a CertificatePreset resource which I think would resolve this too: https://github.com/jetstack/cert-manager/issues/2239

Whilst we _can_ add more annotations, this becomes more complex over time as we add more and more things, but that said in this instance it isn't too complex... I think we could add this as an option here if you think it's valuable in the short term.

/priority backlog
/good-first-issue
/area ingress-shim

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 24 Apr 2020

We ended up just defining the certificate resources like @meyskens suggested. After an internal discussion we concluded that the "extra effort" is worth the transparency, especially for the people less involved.

vidarw picture vidarw on 27 Apr 2020

With cert-manager.io/v1 the keyAlgorithm option of Certificate custom resource was removed so the solution @meyskens suggested, dose not working anymore.

devopstales picture devopstales on 18 Sep 2020

@devopstales I would never remove ECDSA from a product :wink: (unless it is the year 2040 and it is deemed insecure)
We just moved it to a new home: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey 

apiVersion: cert-manager.io/v1a
kind: Certificate
metadata:
  name: ecdsa-test
  namespace: sre-test
spec:
  dnsNames:
  - ecdsa-test.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io
  secretName: ecdsa-test
  privateKey:
      algorithm: ecdsa
meyskens picture meyskens on 18 Sep 2020
🚀11 🎉1 👍1

Should the title be 'ECDSA-certificates through ClusterIssuer, Issuer or ingress-annotations' ?

petenorth picture petenorth on 9 Nov 2020

Renamed to be specific for ingress-shim

meyskens picture meyskens on 10 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kragniz picture kragniz  路  4Comments
munnerz picture munnerz  路  4Comments
howardjohn picture howardjohn  路  3Comments
jakubknejzlik picture jakubknejzlik  路  3Comments
Azylog picture Azylog  路  3Comments