Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default TLS cert #1130

Open
BobyMCbobs opened this issue Jun 10, 2023 · 6 comments
Open

Add default TLS cert #1130

BobyMCbobs opened this issue Jun 10, 2023 · 6 comments

Comments

@BobyMCbobs
Copy link
Member

use an existing secret for TLS termination.

similar to knative-extensions/net-contour#193

/assign
@github-actions
Copy link

github-actions bot commented Sep 9, 2023

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 9, 2023
@BobyMCbobs
Copy link
Member Author

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 13, 2023
@nak3
Copy link
Contributor

nak3 commented Sep 13, 2023

Hi @BobyMCbobs

net-istio has two TLS setup
a) Manually adding a TLS certificate
b) Enabling auto-TLS certs

I assume that you want to add the default TLS cert for b) but then I guess it is a little bit difficult for net-istio.

Unlike Contour, Istio's Gateway does not support cross namespace secret[1][2]. Thereforce, we need to deploy secrets in every single namespace where net-istio generated the Gateway.

Contour can deploy the default secret in "some-admin-namespace", though.

Sorry if you have any other good solution but I just leave my comment here.

[1] istio/istio#14598 (comment)
[2] https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings (Only credentialName is available)

@BobyMCbobs
Copy link
Member Author

BobyMCbobs commented Sep 13, 2023
edited

Hi @BobyMCbobs

net-istio has two TLS setup a) Manually adding a TLS certificate b) Enabling auto-TLS certs

I assume that you want to add the default TLS cert for b) but then I guess it is a little bit difficult for net-istio.

@nak3, thank you for your reply.
Yeah this is correct.
Ideally make it so that it uses a given TLS cert by default for a hostname wildcard and for anything else it uses net-certmanager.
I think I may need to write something custom for that functionality though.
Perhaps even a MutatingWebhookConfiguration could do it 🤔

Unlike Contour, Istio's Gateway does not support cross namespace secret[1][2]. Thereforce, we need to deploy secrets in every single namespace where net-istio generated the Gateway.

Contour can deploy the default secret in "some-admin-namespace", though.

When I used Contour, this was something I also implemented

Sorry if you have any other good solution but I just leave my comment here.

[1] istio/istio#14598 (comment) [2] https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings (Only credentialName is available)

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 13, 2023
@dprotaso dprotaso reopened this Mar 22, 2024
@dprotaso
Copy link
Contributor

/unassign @BobyMCbobs

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @nak3 @BobyMCbobs