You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a BunkerWeb User having cert-manager in the Kubernetes Integration would make my experience even more cloud native.
As a Homelab User on a Kubernetes Cluster I would like to configure cert-manager with the DNS-01 challenge instead of HTTP-01 to be able, to close all unnecessary ports and apply GeoBlocking (Let's Encrypt does not support IP sets to apply/whitelist on a Firewall).
As a potential Business Customer I can store my Certificates in Hashicorp Vault or Venafi and apply them to my Ingress as they are supported by cert-manager.
I see the certbot-dns-* examples which could cover at least the second use case (e.g. ../examples/certbot-dns-cloudflare/docker-compose.yml), but as far as I understands it needs you to mount the "certs" Volume to bunkerweb, scheduler and a custom certbot container with the corresponding config. But not sure how I would implement that on Kubernetes. Using Kubernetes Secrets and Ingress Annotations would make it more natively on that Integration.
Implementations ideas (optional)
The Documentation for cert-manager is here: https://cert-manager.io/docs/
But the Installation and Configuration of cert-manager can be out of scope
cert-manager stores the key and crt in a Kubernetes Secret:
Finally the BunkerWeb Scheduler(?) would pick up the secret and store it in /certs/ like it does for example on http, server-http, modsec etc. with the ConfigMap Feature.
Hopefully I was able to explain the need simply, otherwise please let me know if I should elaborate. If you think this is an edge case and doesn't map your Roadmap, don't worry about it and close the issue :-)
The text was updated successfully, but these errors were encountered:
What's needed and why ?
Hi All
I see the certbot-dns-* examples which could cover at least the second use case (e.g. ../examples/certbot-dns-cloudflare/docker-compose.yml), but as far as I understands it needs you to mount the "certs" Volume to bunkerweb, scheduler and a custom certbot container with the corresponding config. But not sure how I would implement that on Kubernetes. Using Kubernetes Secrets and Ingress Annotations would make it more natively on that Integration.
Implementations ideas (optional)
The Documentation for cert-manager is here: https://cert-manager.io/docs/
But the Installation and Configuration of cert-manager can be out of scope
cert-manager stores the key and crt in a Kubernetes Secret:
On the Ingress the mapping happens in the annotations section:
Not a specialist as I'm still learning, but I guess the Ingress Annotation triggers cert-manager which then stores the crt/key as a secret. Finally the ingress controller (e.g. Traefik) picks it up and deploys/configures the TLS termination. Maybe it's also triggered by the Ingress Controller itself. See for example the official Kubernetes NGinx Ingress Chart: https://github.com/kubernetes/ingress-nginx/blob/afd1311f8529c21fdf6621bf683bec814e698f1d/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
As one can have multiple issuer, I would suggest to leave that as a matter of cert-manager and define the secret only:
Finally the BunkerWeb Scheduler(?) would pick up the secret and store it in /certs/ like it does for example on http, server-http, modsec etc. with the ConfigMap Feature.
Hopefully I was able to explain the need simply, otherwise please let me know if I should elaborate. If you think this is an edge case and doesn't map your Roadmap, don't worry about it and close the issue :-)
The text was updated successfully, but these errors were encountered: