Skip to content
This repository has been archived by the owner on Apr 30, 2024. It is now read-only.

Allow specifying different issuers for different Services #353

Open
dan-j opened this issue Feb 8, 2022 · 14 comments
Open

Allow specifying different issuers for different Services #353

dan-j opened this issue Feb 8, 2022 · 14 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@dan-j
Copy link

dan-j commented Feb 8, 2022

Taken from a discussion on Slack: https://knative.slack.com/archives/C0186KU7STW/p1644261780362609

I'd like to have a way to use a different cert-manager issuer for particular services. This could be achieved in one of two ways:

  1. overridden by an annotation on my service
  2. multiple configs provided in config-certmanager with a label selector

Option 1) seems easier to implement, although option 2) is more similar to how domain mapping is performed for overriding cluster-domain.
@dprotaso
Copy link
Contributor

dprotaso commented Feb 9, 2022

cc @nak3 @carlisia

@dprotaso
Copy link
Contributor

dprotaso commented Feb 9, 2022

/good-first-issue
/kind feature

@knative-prow-robot
Copy link

@dprotaso: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

/good-first-issue
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow-robot
Copy link

@dprotaso:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

/good-first-issue
/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow-robot knative-prow-robot added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Feb 9, 2022
@dan-j
Copy link
Author

dan-j commented Feb 10, 2022

@dprotaso @nak3 @carlisia

Do any of you have a preferred approach on how to implement this? Not sure how much time I can spare but I'd be willing to try and fit this in.

@nak3
Copy link
Contributor

nak3 commented Feb 10, 2022

Thank you @dan-j !

I prefer to option-2. I am assuming that users want to specify different issuers for different domains so it would be better to align with the cluster-domain's label selector way.

With said, Red Hat's OpenShift Serverless (Knative) does not use net-certmanager so I am not so familiar with the use case. Any other thoughts @dprotaso @carlisia @ZhiminXiang ?

@nak3
Copy link
Contributor

nak3 commented Feb 10, 2022

And I guess the code for option-2 will not be so complicated if we use contour's this data structure as a reference - https://github.com/knative-sandbox/net-contour/blob/aa1a8a4cc22f8ddd09ab154f9af07b1ded994959/config/config-contour.yaml#L51-L57 and around https://github.com/knative-sandbox/net-contour/blob/aa1a8a4cc22f8ddd09ab154f9af07b1ded994959/pkg/reconciler/contour/config/contour.go#L54-L57

IIRC, the code around config-domain is a little bit complicated 😅

@carlisia carlisia self-assigned this Feb 19, 2022
@carlisia
Copy link
Member

/assign @carlisia

@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 21, 2022
@carlisia
Copy link
Member

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 10, 2022
@github-actions
Copy link

github-actions bot commented Sep 9, 2022

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 9, 2022
@dprotaso
Copy link
Contributor

/unassign @carlisia
/lifecycle frozen

@knative-prow knative-prow bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 16, 2022
@stephan48
Copy link

Hey,
i stumbled upon this and wanted to get some feedback before pursuing a red hering.

Wouldn't one of the easier ways to workaround this be to allow setting https://github.com/knative-sandbox/net-certmanager/blob/main/pkg/reconciler/certificate/controller.go#L81 (and L83) to a custom value?

This way you could run two net-certmanager instances in the cluster and configure them with specific issuers?

On the service you would need to override the certificate class as per https://knative.dev/docs/serving/services/certificate-class/

Is this a feasible approach? I still will consider true multi issuer support to be the end goal here, but this would already enable these use cases without much "effort".

Kind Regards,
Stephan

@dprotaso
Copy link
Contributor

This way you could run two net-certmanager instances in the cluster and configure them with specific issuers?

In theory yes but I don't think we want to suggest that approach since you need to change the installation of Knative to support multiple issuers.

@ReToCode ReToCode mentioned this issue May 26, 2023
Merged
@dprotaso dprotaso mentioned this issue Jan 31, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@carlisia @dprotaso @stephan48 @nak3 @dan-j @knative-prow-robot