Contour currently supports getting TLS certificates via cert-manager using HTTP-01 validation through standard Ingress annotations.
Cert-manager does not work with IngressRoute objects which means that Contour users taking advantage of the new IngressRoute CRD will not be able to use Let's Encrypt certificates from Cert-Manager. The Istio community has a similar problem with their Gateway API
We spoke with @munnerz from the cert-manager project this morning and they're working on moving the HTTP-01 validation to a new CRD schema that could allow for a plugin-like model (or API-driven).
This is a pretty frequent request - I'm proposing this for 0.7.0
I guess this ticket is also necessary to make TCP proxying work together with cert-manager?
@remmeier this ticket is to ensure that cert-manager, specifically the ingress-shim process, can work with contour in the absence of k8s ingress records, that is, the installation is only using ingressroute.
If you have a question about using cert-manager and tcp proxying, please raise a new ticket.
I was investigating contour, tcp and cert-manager and my understanding of this ticket is that this combination is currently not support to do that due to limitations of the ingress resource (just HTTP). But resolving this ticket will do that as TCP proxying is a feature of the IngressRoute? If there is something I missed, I can create another ticket.
@remmeier this ticket is to ensure that cert-manager, specifically the ingress-shim process. TCP proxying is #787
Is there an expected release date for that ticket? or for 0.10.0 in general? 鈽猴笍
Moving the epic to Contour 1.0, implementation issues will be addressed in beta1 and rc1
Duplicate of #950 (that's where the work will be done)
@davecheney This issue is referenced by the docs. Can we keep it open to track fullcert-manager support, since that might involve more issues than only #950?
Most helpful comment
This is a pretty frequent request - I'm proposing this for 0.7.0