Adds ingress annotation support for alt-names

[vanveele]

Pull Request Motivation

Add support for ingress annotation controlling Certificate SAN DNS names. Fixes #5897 .

Kind

/kind feature

Release Note

Add support for ingress annotation cert-manager.io/alt-names

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vanveele
Once this PR has been reviewed and has the lgtm label, please assign inteon for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jetstack-bot]

Hi @vanveele. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ashtonian]

Looking forward to using this.

[inteon]

@vanveele Normally, the DNS names should be based on what is configured in the ingress right?
see https://cert-manager.io/docs/usage/ingress/#:~:text=placing%20a%20host%20in%20the%20TLS%20config%20will%20determine%20what%20ends%20up%20in%20the%20cert%27s%20subjectAltNames

Could you explain why you cannot specify an additional DNS name in that list of hosts?

[cornfeedhobo]

@SgtCoDFish Can you help out to get someone be assigned to triage this? It's small but offers great value. Please and thank you :)

[SgtCoDFish]

Can you help out to get someone be assigned to triage this? It's small but offers great value. Please and thank you :)

I think I'd agree with Tim's question to be honest; why is this required? I'm not saying it's definitely not required, but at least on the face of it, I'd think that this seems redundant!

I wouldn't personally want to use this - which again doesn't mean it's not useful to someone, but I think it would be worth hearing a bit more detail on this first!

[cornfeedhobo]

@SgtCoDFish Could you link me to Tim's question? I'm not seeing it.

I think this comment sums it up well:

We simply want to ability to describe the certificate SAN attribute via cert-manager.io annotations on Ingress resources, this is extremely helpful in scenarios where you need to rebuild the cluster in another region and/or cloud provider where you need certificates with the region / cloud provider information and keep vanity SANs for disaster recovery options.

I'm in this exact same boat. We have a hot-spare cluster that we want to carry the same SAN as the other control plane, in case we need to cut over. AFAIK, the only way to do this is by creating a Certificate resource directly, which is a bit more onerous for some services.

Is there an undocumented annotation that covers this use case already, or maybe something else I'm missing?

Thanks as always for staying on top of this org!

[SgtCoDFish]

Could you link me to Tim's question? I'm not seeing it.

Apologies, I should have tagged @inteon rather than using his name! I meant this comment.

Specifically:

Could you explain why you cannot specify an additional DNS name in that list of hosts?

Going from your example, I think I'm still missing why that's not possible (not saying it's impossible - I just want to understand!)

My view of this architecture with (say) an AWS EKS primary and a GKE hot spare would be that both clusters would have an Ingress for the main domain example.com and so both would have the relevant DNS subject alt name. What's different to that? What am I missing?

Question number 2: This PR currently overrides the DNS names which have been retrieved from the Ingress entirely. Is that functionality required in your infrastructure or would appending names work? Appending seems much more natural to me - the auto-updating dns names from an ingress seems like the primary selling point for ingress-shim?

[cornfeedhobo]

My view of this architecture with (say) an AWS EKS primary and a GKE hot spare would be that both clusters would have an Ingress for the main domain example.com

That might be a condition specific to those clouds. I can't really speak to those - I'm working on-premise. I assume managed clusters use a native concept of autoscaling and use an out-of-band load balancer to reach the control plane. And AWS/GKE LBs use their own CA so they can issue whatever certs they want, without some of the constraints that on-prem would be subject to with ACME HTTP01 services.

Edit: I think I get where you are going here. Let's use the rancher chart's Ingress resource as an example. The user is only given the option of setting the hostname and not other names, yet the chart does expose the option of adding arbitrary annotations. I think it's constraints like these that are leading to this request. That said, you're in the weeds on this topic every day; please let me know if there is another way I'm not seeing.

This PR currently overrides the DNS names which have been retrieved from the Ingress entirely.

Hmm good catch. I don't have a great answer for this off the cuff. Maybe I can dedicate some more review and testing time in November or December and validate this fully.

[SgtCoDFish]

The user is only given the option of setting the hostname and not other names, yet the chart does expose the option of adding arbitrary annotations.

I can see how that would be annoying yeah. I'd not considered Ingress resources which the end users don't fully "own".

I think where I'm landing with this for now is:

• If a user needs to configure entirely arbitrary DNS names, that sounds like they should be using a Certificate resource. It's not always quite as convenient as an ingress annotation, but I think it makes sense to me.
  • This applies to the PR as currently implemented. I just can't see why we should make this specific change to replace all DNS names
• I do think I can imagine why a user would want to add extra DNS names via an annotation. It allows us to model things like "This Ingress doesn't currently serve traffic for example.com but it might start doing later" or "The ingress cannot be edited but it's actually also available with a different DNS name"
  • This also introduces a need for deduplication as well
  • Also this doesn't work well for HTTP-01 ACME, but maybe that's fine - it doesn't have to work for every possible issuer for it to make sense

In summary, I don't think I'd merge this PR as-is with it replacing the DNSNames. I think there's a case to be made for this feature if it appended to the DNS names - I'd value the input of other maintainers and community members on this too.

[vanveele]

Behaviour to replace spec was picked to remain consistent with other existing annotations, for example the adjacent cert-manager.io/email-sans, but also makes the annotation match exactly the value of the resulting annotation applied on the TLS secret.

If the ingress annotation were appended to the existing dnsnames then the TLS secret annotation of the same name would differ in value.

Changing the ingress annotation name from 'cert-manager.io/alt-names' -> 'cert-manager.io/additional-alt-names' to implement the new logic may avoid confusion.

[SgtCoDFish]

Changing the ingress annotation name from 'cert-manager.io/alt-names' -> 'cert-manager.io/additional-alt-names' to implement the new logic may avoid confusion.

I definitely agree - we should rename to that. Or to more closely match the existing names, maybe cert-manager.io/additional-dns-sans?

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[rossigee]

/remove-lifecycle stale

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale