Draft of tutorial for Google's Public CA #1213
Open
+106
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Solicited here: cert-manager/cert-manager#5867 (comment) Signed-off-by: Adam Vollrath <adam.d.vollrath@gmail.com>
jetstack-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: axisofentropy The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
size/L
|
cc @irbekrm for review |
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
|
/ok-to-test |
maelvls
reviewed
May 23, 2023
|
|
||
| Google's Public Certificate Authority is completely free to use, so long as you have a GCP Project to meter its quotas. Unlike ZeroSSL, Google's quotas are published here: <https://cloud.google.com/certificate-manager/docs/quotas#public_ca_request_quotas> | ||
|
|
||
| We have not yet bumped up against these quota limits, and now our customers are consistently provisioning certificates with many additional hostnames. This is another example of infrastructure work we do so you can deploy ephemeral environments for all of your project's branches. If you have questions about this or any of our infrastructure, join us on Slack! |
There was a problem hiding this comment.
nit: who is "We"? Maybe replace with the name of the company that is giving this testimony. Also maybe dial down the "commercial" tone. 😅
Suggestion:
Suggested change
| We have not yet bumped up against these quota limits, and now our customers are consistently provisioning certificates with many additional hostnames. This is another example of infrastructure work we do so you can deploy ephemeral environments for all of your project's branches. If you have questions about this or any of our infrastructure, join us on Slack! | |
| **Testimonial:** Uffizzi is a company using cert-manager with Google's Public Certificate Authority. Uffizzi has not yet bumped up against these quota limits. Since they have started using Google's Public Certificate Authority, Uffizzi's customers are consistently provisioning certificates with many additional hostnames. |
maelvls
reviewed
May 23, 2023
| linktitle: "Configuring Google's Public Certificate Authority" | ||
| --- | ||
|
|
||
| For years we used `cert-manager` to provision TLS certificates from ZeroSSL. Their ACME service is free, but we've really gotten what we paid for. Service outages were common, and more recently ZeroSSL added undocumented rate limiting for HTTP requests to their ACME API. This change put us in the same situation as this `cert-manager` user: <https://github.com/cert-manager/cert-manager/issues/5867>. We began looking for alternative certificate authorities that support the ACME protocol. |
There was a problem hiding this comment.
"We" isn't defined here, but we can rephrase it so that "we" isn't needed.
Suggested change
| For years we used `cert-manager` to provision TLS certificates from ZeroSSL. Their ACME service is free, but we've really gotten what we paid for. Service outages were common, and more recently ZeroSSL added undocumented rate limiting for HTTP requests to their ACME API. This change put us in the same situation as this `cert-manager` user: <https://github.com/cert-manager/cert-manager/issues/5867>. We began looking for alternative certificate authorities that support the ACME protocol. | |
| cert-manager can be used for issuing free certificates with ZeroSSL and Let's Encrypt. | |
| ZeroSSL's is great to get started but doesn't work well for large scales use-cases. More specifically, ZeroSSL has a rate limit for HTTP requests to their ACME API. | |
| For companies that need to go beyond ZeroSSL's and Let's Encrypt's limitations, Google's Public Certificate Authority is a good fit since it supports the ACME protocol. |
maelvls
reviewed
May 23, 2023
|
|
||
| For years we used `cert-manager` to provision TLS certificates from ZeroSSL. Their ACME service is free, but we've really gotten what we paid for. Service outages were common, and more recently ZeroSSL added undocumented rate limiting for HTTP requests to their ACME API. This change put us in the same situation as this `cert-manager` user: <https://github.com/cert-manager/cert-manager/issues/5867>. We began looking for alternative certificate authorities that support the ACME protocol. | ||
|
|
||
| About a year ago, Google announced ACME protocol support for their new Public Certificate Authority. This is the alternative we're looking for. We've configured our system to use this and below I'll show how you can too. We'll follow part of Google's tutorial, but instead of using `certbot`, we'll configure a `ClusterIssuer` and associated `Secret` for `cert-manager`. <https://cloud.google.com/certificate-manager/docs/public-ca-tutorial> |
There was a problem hiding this comment.
Suggested change
| About a year ago, Google announced ACME protocol support for their new Public Certificate Authority. This is the alternative we're looking for. We've configured our system to use this and below I'll show how you can too. We'll follow part of Google's tutorial, but instead of using `certbot`, we'll configure a `ClusterIssuer` and associated `Secret` for `cert-manager`. <https://cloud.google.com/certificate-manager/docs/public-ca-tutorial> | |
| In this tutorial, we will follow part of [Google's Public CA tutorial][public-ca-tutorial]. Instead of using `certbot`, we will configure a `ClusterIssuer` and associated `Secret` for cert-manager. | |
| [public-ca-tutorial]: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial |
maelvls
reviewed
May 23, 2023
| cert-manager.io/cluster-issuer: google-public-ca | ||
| ``` | ||
|
|
||
| (In our case, we manage these k8s resources using terraform, specifically the `kubernetes_secret` and `kubernetes_manifest` resources.) |
There was a problem hiding this comment.
This seems to be outside the scope of the tutorial, I'd suggest removing this line.
Suggested change
| (In our case, we manage these k8s resources using terraform, specifically the `kubernetes_secret` and `kubernetes_manifest` resources.) |
That said, if you think using Terraform is an important or recommended way of using the tool, I'd suggest replacing "We" with "The recommended way of... is to...".
|
This is a great tutorial! I'd change a few bit to make it fit the website. |
jetstack-bot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Solicited here: cert-manager/cert-manager#5867 (comment)