Allow specifying different issuers for different Services #353
Comments
/good-first-issue |
@dprotaso: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dprotaso: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thank you @dan-j ! I prefer to option-2. I am assuming that users want to specify different issuers for different domains so it would be better to align with the cluster-domain's label selector way. With said, Red Hat's OpenShift Serverless (Knative) does not use net-certmanager so I am not so familiar with the use case. Any other thoughts @dprotaso @carlisia @ZhiminXiang ? |
And I guess the code for option-2 will not be so complicated if we use contour's this data structure as a reference - https://github.com/knative-sandbox/net-contour/blob/aa1a8a4cc22f8ddd09ab154f9af07b1ded994959/config/config-contour.yaml#L51-L57 and around https://github.com/knative-sandbox/net-contour/blob/aa1a8a4cc22f8ddd09ab154f9af07b1ded994959/pkg/reconciler/contour/config/contour.go#L54-L57 IIRC, the code around config-domain is a little bit complicated 😅 |
/assign @carlisia |
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
This issue is stale because it has been open for 90 days with no |
/unassign @carlisia |
Hey, Wouldn't one of the easier ways to workaround this be to allow setting https://github.com/knative-sandbox/net-certmanager/blob/main/pkg/reconciler/certificate/controller.go#L81 (and L83) to a custom value? This way you could run two net-certmanager instances in the cluster and configure them with specific issuers? On the service you would need to override the certificate class as per https://knative.dev/docs/serving/services/certificate-class/ Is this a feasible approach? I still will consider true multi issuer support to be the end goal here, but this would already enable these use cases without much "effort". Kind Regards, |
In theory yes but I don't think we want to suggest that approach since you need to change the installation of Knative to support multiple issuers. |
Taken from a discussion on Slack: https://knative.slack.com/archives/C0186KU7STW/p1644261780362609
I'd like to have a way to use a different cert-manager issuer for particular services. This could be achieved in one of two ways:
config-certmanager
with a label selectorOption 1) seems easier to implement, although option 2) is more similar to how domain mapping is performed for overriding cluster-domain.
The text was updated successfully, but these errors were encountered: