Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secretTemplate to Certificate resources created by ingress-shim #6838

Open
mangeshhambarde opened this issue Mar 7, 2024 · 1 comment
Open

Add secretTemplate to Certificate resources created by ingress-shim #6838

mangeshhambarde opened this issue Mar 7, 2024 · 1 comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@mangeshhambarde
Copy link
Contributor

mangeshhambarde commented Mar 7, 2024
edited

Is your feature request related to a problem? Please describe.
Currently, the secretTemplate field in Certificate resources allows adding arbitrary annotations/labels to secrets. This is fine, but there is no option to set this field in Certificate resources automatically generated by ingress-shim from Ingress resources.

This makes it difficult to use sync tools (e.g. kubenetes-reflector) in combination with ingress-shim, as they usually need annotations to be set on the Secret resources. Secret sync tools are popularly used when secrets need to be accessed in a different namespace (e.g. the istio ingress gateway needs the secrets to be present in its own namespace).

Describe the solution you'd like
Any solution that allows setting arbitrary annotations in the secretTemplate field of Certificate resources generated by ingress-shim, or on any Secret created by cert-manager.
I can think of:
[1] a new Ingress annotation that sets the secretTemplate field (to be added here)
[2] a new Issuer/ClusterIssuer annotation that does something similar
[3] values.yaml
[4] controller arguments

I have some changes that implement [1], I will shortly create a PR. Any feedback is appreciated 🙂

Describe alternatives you've considered

  • Mutating webhooks, but that increaases maintenance burden.
  • Tools like Kyverno (suggested here), also increases maintenance burden.
  • Not using ingress-shim at all and manually creating Certificate resources in all cases, not feasible.

Additional context
Many users have asked for this functionality in the past, it seems that #2239 should have taken care of this use case, but it seems to be shelved.

It makes sense for cert-manager to support this as this is essentially a gap between manually deployed Certificate resources and those created by ingress-shim. I understand that adding additional ingress annotations might be discouraged now, but since secret sync tools are quite popular (the fact that this page exists), I think an extra annotation makes sense in this case.

Slack conversation in #cert-manager-dev about the presets design v/s adding more annotations:
https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1653985421386439?thread_ts=1653895488.262499&cid=CDEQJ0Q8M

Exhibits
#933
#5859
#2576 (comment)
#2239 (comment)

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 7, 2024
@mangeshhambarde mangeshhambarde mentioned this issue Mar 7, 2024
Merged
@wallrj
Copy link
Member

wallrj commented Mar 13, 2024
edited

Not using ingress-shim at all and manually creating Certificate resources in all cases, not feasible.

@mangeshhambarde I'm interested to know why it is not feasible.
I think that manually creating Certificate resources is a good approach.
But I would like to understand how you intend to use ingress-shim and use that to write better justifications in the documentation:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wallrj @mangeshhambarde @jetstack-bot