Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for certificate annotations on Istio Gateway/Virtual Service #78

Open
dafe-corporate-sap opened this issue Apr 24, 2024 · 4 comments
Assignees
Labels
enhancement New feature or request go Pull requests that update Go code

Comments

@dafe-corporate-sap
Copy link

New version of https://github.com/gardener/cert-management/releases/tag/v0.14.0 enables possibility to annotate "Istio Gateway/Virtual Service" as a result certificate manager will be able to create certificate secret in istio namespace.
And thus cap-operator will not need to create certificate object in istio system namespace.

@Pavan-SAP
Copy link
Contributor

Hi Daniel,
Thanks for this info.
We plan to do this along with a similar feature we got to know a while back w.r.t annotating for DNSEntries https://github.com/gardener/external-dns-management/releases/tag/v0.18.0 (avaialable for a few months now), so that in garderner clusters both DNS records and certificates can be take over by gardner controllers and we are not manually doing the same.

We need to plan of we can just do the implementation assuming (and documenting) that all clusters are running these newer versions or we provide an option to switch this on for a while.

This issue will be updated once the implmentation happens.

Thanks & Regards,
Pavan

@Pavan-SAP Pavan-SAP self-assigned this Apr 24, 2024
@Pavan-SAP Pavan-SAP added enhancement New feature or request go Pull requests that update Go code labels Apr 24, 2024
@dafe-corporate-sap
Copy link
Author

dafe-corporate-sap commented Apr 24, 2024

Hi Pavan,

external-dns-management 0.18.4 is already present in Gardener Canary.
as for cert-manager 0.14.0 it needs to undergo some rounds of testing first
we will monitor and let you know.

@dafe-corporate-sap
Copy link
Author

Hi @Pavan-SAP,

I have tested
feature gardener/cert-management#174
that has been delivered via https://github.com/gardener/cert-management/releases/tag/v0.14.0
on gardener/canary and gardener/live
and it is working.

After putting annotation to gateway object:

cert.gardener.cloud/purpose: managed

ceritificate object is created in the same namespace as gateway with name

<gateway name>-<generated string>

and owner reference is set to originating gateway.
As well as TLS secret is created which is referenced in certificate spec.

Can you please come up with proposal how this feature can be utilized by cap-operator?
Not every user of cap-operator should use gardener or gardener/cert-management so probably it would be good to configure it at CAPApplication level.

@dafe-corporate-sap
Copy link
Author

dafe-corporate-sap commented Oct 29, 2024

In our setup (cluster-setup) we need to also specify another annotation cert.gardener.cloud/secret-namespace: istio-system which will create certificate secrets in istio-system namespace.

This annotation is supported by shoot-cert-service v1.45.0.
It contains the newest release of the cert-management v0.16.0 with gardener/cert-management#316

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request go Pull requests that update Go code
Projects
None yet
Development

No branches or pull requests

2 participants