Allow specifying certificate by name #572
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using the 'service.beta.kubernetes.io/do-loadbalancer-certificate-name' service annotation, the certificate for an HTTPS load balancer can bow be specified by name. The corresponding certificate ID is then retrieved using the DO API at load balancer creation/update time and is used from then on. So far, the certificate had to be specified using the '.../do-loadbalancer-certificate-id' annotation and this was automatically updated to reflect an ID change resulting from a certificate renewal. However if, after such a renewal, the service was re-created without re-fecthing the latest certificate ID, the service remained stuck waiting for its external IP. This is for example very useful when deploying with a CD system such as Flux, where the deployment specification comes from a source repository. In that case, one would not expect having to update the source repository as a result of an automatic certificate renewal. With this change, the source repository can specify the certificate by name so it won't have to be updated after the certificate is renewed. And a redeployment of the service will automatically fetch the current ID of the referenced certificate. Signed-off-by: David Verbeiren <david.verbeiren@tessares.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using the 'service.beta.kubernetes.io/do-loadbalancer-certificate-name' service annotation, the certificate for an HTTPS load balancer can bow be specified by name. The corresponding certificate ID is then retrieved using the DO API at load balancer creation/update time and is used from then on.
So far, the certificate had to be specified using the '.../do-loadbalancer-certificate-id' annotation and this was automatically updated to reflect an ID change resulting from a certificate renewal. However if, after such a renewal, the service was re-created without re-fecthing the latest certificate ID, the service remained stuck waiting for its external IP.
This is for example very useful when deploying with a CD system such as Flux, where the deployment specification comes from a source repository. In that case, one would not expect having to update the source repository as a result of an automatic certificate renewal.
With this change, the source repository can specify the certificate by name so it won't have to be updated after the certificate is renewed. And a redeployment of the service will automatically fetch the current ID of the referenced certificate.