Configuration of the "aaa" cluster at GCP #643
Comments
The pattern so far has been to create an Ingress without a static IP, let it get allocated and then manually mark it static. In reality, it's not really required to be static, but it's an old habit :) The main reason NOT to TF it is that (so far) TF is for the cluster, not the things in the cluster.
Oh, I didn't realize that. That's...obnoxious. @munnerz is there any way to make this more self-service? Like "allow any domain name asserting under k8s.io or kubernetes.io" and let DNS working or not-working be the deciding factor? |
This is already the case - there is a k8s.io/cert-manager/letsencrypt-prod.yaml Lines 26 to 32 in fe6fbdd There is also an explicit exception for k8s.io/cert-manager/letsencrypt-prod.yaml Lines 14 to 22 in fe6fbdd That said, if you create a new Ingress resource (i.e. GCLB) to serve traffic under (i.e. you are not pointing the new domain at the
Hope that helps 😄 |
We need to know which Ingress resource should be updated in order to 'solve' the HTTP01 challenge, so there's no totally magic way to do this - the above annotation is probably the closest thing to that though 😄 |
|
Great! Thank you @munnerz! What is the reason gcsweb is treated differently in that case? |
|
Because gcsweb is exposed under a different IP address with a different Ingress resource (named |
|
The additional config step is a product of the With ingress controllers like |
|
To clarify - that annotation and the edit to the cert-manager config
achieve the same result? De-centralized is what we want...
…On Tue, Mar 10, 2020 at 5:01 AM James Munnelly ***@***.***> wrote:
The additional config step is a product of the ingress-gce ingress
controller mapping a single front-end IP to a single Ingress resource. This
means that we *have* to edit the 'existing' Ingress resource in order to
solve challenges.
With ingress controllers like ingress-nginx, which 'flatten' Ingress
configuration into a single nginx config, we are able to simply create
*new* Ingress resources that *only* contain the HTTP01 challenge solving
routes, and save this awkward extra step.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#643?email_source=notifications&email_token=ABKWAVETAVAS7S46RMBBFQ3RGYT3LA5CNFSM4LDNGVIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOLEBKY#issuecomment-597049515>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVBSSTPQ3KM44G7PSILRGYT3LANCNFSM4LDNGVIA>
.
|
|
Ping @munnerz
…On Tue, Mar 10, 2020 at 5:58 PM Tim Hockin ***@***.***> wrote:
To clarify - that annotation and the edit to the cert-manager config achieve the same result? De-centralized is what we want...
On Tue, Mar 10, 2020 at 5:01 AM James Munnelly ***@***.***> wrote:
>
> The additional config step is a product of the ingress-gce ingress controller mapping a single front-end IP to a single Ingress resource. This means that we have to edit the 'existing' Ingress resource in order to solve challenges.
>
> With ingress controllers like ingress-nginx, which 'flatten' Ingress configuration into a single nginx config, we are able to simply create new Ingress resources that only contain the HTTP01 challenge solving routes, and save this awkward extra step.
>
> —
> You are receiving this because you were assigned.
> Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
So if we add a new solver entry: # matches all Certificate resources
- selector: {}
http01:
ingress:
name: "anything" # this value will be overridden by the 'http01-override-ingress-name' annotationand then add We could also continue to make the 'solver' match on # matches all Certificate resources
- selector:
dnsZones:
- k8s.io
- kubernetes.io
http01:
ingress:
name: "anything" # this value will be overridden by the 'http01-override-ingress-name' annotationI'm happy to put a PR together if you want :) |
|
That sounds like what we want, I think. PR would be welcome.
…On Tue, Mar 17, 2020 at 6:33 AM James Munnelly ***@***.***> wrote:
So if we add a new solver entry:
# matches all Certificate resources
- selector: {}
http01:
ingress:
name: "anything" # this value will be overridden by the 'http01-override-ingress-name' annotation
and then add acme.cert-manager.io/http01-override-ingress-name:
"name-of-ingress-in-current-namespace" to the *Certificate* resource, we
achieve what we after. It effectively applied a per-Certificate override to
the clusterissuer.spec.solvers[].http01.ingress.name.
We could also continue to make the 'solver' match on dnsZones too if we
want to make it required that any new zone being added has to require a
change to our ClusterIssuer (which required admins to approve) (i.e. still
keep the selector containing dnsZones: ["k8s.io", "kubernetes.io"]), e.g.:
# matches all Certificate resources
- selector:
dnsZones:
- k8s.io
- kubernetes.io
http01:
ingress:
name: "anything" # this value will be overridden by the 'http01-override-ingress-name' annotation
I'm happy to put a PR together if you want :)
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#643 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVGHRWMTE2HHITNTLADRH533JANCNFSM4LDNGVIA>
.
|
spiffxp
added
area/apps/cert-manager
|
/close |
|
@spiffxp: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When I was working on moving the
perf-dashinto theaaacluster I faced few issues and want to document everything for others, so please help me understand it better.Let me get you through my thought process, and if anything here is wrong, please comment on that.
NodePort(like in gcsweb and ingress with annotation with the name of static ip address, so I need to add the static address in the first place.@munnerz do you see any problems with my foughts process in relation to cert-manager here?
/assign @munnerz
@BenTheElder @thockin is this process correct? Will it be enought to point a subdomain to a project?
/assign @BenTheElder @thockin
@thockin @dims @cblecker do you think we could put the configuration of static IP addresses into our terraform configuration files?
/assign @dims @cblecker
I want to improve our documentation which I see as a really important for our contributors (new and the current ones) to understand our infra processes better, so I'm very grateful for any help :-)
/assign
The text was updated successfully, but these errors were encountered: