Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding custom annotation to cm ingress resources #6903

Open
guilhem opened this issue Apr 15, 2024 · 2 comments
Open

Adding custom annotation to cm ingress resources #6903

guilhem opened this issue Apr 15, 2024 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@guilhem
Copy link
Contributor

guilhem commented Apr 15, 2024
edited

Is your feature request related to a problem? Please describe.

All my ingress are protected with an oauth2-proxy.
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#global-auth-url

But ACME challenge must be allowed with a custom annotation: nginx.ingress.kubernetes.io/enable-global-auth
https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-external-authentication

Describe the solution you'd like

I should be able, like adding ClusterIssuer etc, to add arbitrary annotations to ingress ressources.

Describe alternatives you've considered

Using kyverno to patch ing ressource

ClusterPolicy 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-ingress-annotation
spec:
  rules:
    - name: annotate-ingress
      match:
        resources:
          kinds:
            - Ingress
          name: "cm-acme-http-solver-*"
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              nginx.ingress.kubernetes.io/enable-global-auth: "false"

Additional context

cert-manager/pkg/issuer/acme/http/ingress.go

Line 152 in d073db1

ingAnnotations := make(map[string]string)

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 15, 2024
@guilhem guilhem changed the title Adding custom annotation to cm ingress ressource Adding custom annotation to cm ingress resources Apr 15, 2024
@hawksight
Copy link
Member

Hey I think you can use this flag on the cert-manager-controller, --auto-certificate-annotations strings?

      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])

I found this running the latest image:

docker run -ti --rm quay.io/jetstack/cert-manager-controller:v1.14.5 --help

I might have missread it, but perhaps give that a go to see if you can add multiple strings to that argument including the additional one you need?

--auto-certificate-annotations "kubernetes.io/tls-acme,nginx.ingress.kubernetes.io/enable-global-auth"

@guilhem
Copy link
Contributor Author

guilhem commented May 9, 2024

To respond to myself, ingress-nginx have a dedicated option no-auth-locations to bypass location for specific locations, like /.well-known/acme-challenge (set by default).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@guilhem @hawksight @jetstack-bot