feat: cert-manager integration #1261
Conversation
10ko
changed the title
| @@ -342,6 +345,14 @@ export const kubernetesConfigBase = providerConfigBaseSchema | |||
| tlsCertificates: joiArray(tlsCertificateSchema) | |||
| .unique("name") | |||
| .description("One or more certificates to use for ingress."), | |||
| tlsManager: joi.string() | |||
| .optional() | |||
| .example("cert-manager") | |||
There was a problem hiding this comment.
Pro-tip: You can use .allow(...values) to specify which specific values are allowed
| await helm({ ctx, namespace: systemNamespace, log, args: [...installArgs] }) | ||
| console.log("Success?") | ||
| return "" | ||
| } |
There was a problem hiding this comment.
Why not just use a helm module and additionally set that label on the system namespace? Is there something else that requires the custom code?
There was a problem hiding this comment.
I thought of implementing the installation programmatically because I wanted to create other resources needed (like Issuers, etc) before starting to deploy the services.
I see your point and I might end up doing that since I might be able to delegate the creation of those resources later on but still before deploying.
Still working that part out because we need the certificate in order to deploy an ingress but cert-manager issues a certifcate annotating the ingress itself.
This part will undoubtely change soon.
10ko
force-pushed
the
cert-manager
branch
7 times, most recently
from
83f7d5b to
2ec44f7
Compare
|
Still working on the guide and on an example, code is here and has been tested against one of our dev clusters. |
| name: joi.string() | ||
| .required() | ||
| .allow("cert-manager") | ||
| .description("The name of the certificate manager of choice. Currently supporting only cert-manager.") |
There was a problem hiding this comment.
Do we actually anticipate supporting multiple ones? I think I'd suggest calling the config key certManager and having a certManager.enable field. If we do end up supporting others, I expect it'll be after this functionality is split into separate plugins.
There was a problem hiding this comment.
That is fair enough. I am still not sure how the plugin architecture would develop but if you think it would be possible to support something like this, that's ok with me. :)
I'll change it to be more specific.
There was a problem hiding this comment.
I would though leave the field managedBy: cert-manager on the IngressTlsCertificate or change it to managedBy: "cert-manager" | "manual" with a default to "manual" of course.
I am not a big fan of managedByCertManager: boolean, certManagerCertificate or similar.
|
Just noticed this, probably worth documenting that the minimum supported K8s version is 1.11: https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html |
|
|
||
| [providers](#providers) > [tlsCertificates](#providerstlscertificates) > managedBy | ||
|
|
||
| A reference to the Tls certificates manager used to generate the certificate. |
|
|
||
| [providers](#providers) > [certManager](#providerscertmanager) > enable | ||
|
|
||
| Enable the cert-manager integration. |
There was a problem hiding this comment.
Would be good to link the guide here.
| @@ -19,10 +19,21 @@ export interface ProviderSecretRef { | |||
| namespace: string | |||
| } | |||
|
|
|||
| export type TlsManager = "cert-manager" | "manual" | |||
| export type LEServerType = "staging" | "prod" | |||
There was a problem hiding this comment.
I'd prefer a more verbose name, LetsEncryptServerType
| export interface CertManagerConfig { | ||
| enable: boolean | ||
| email?: string | ||
| installOnly?: boolean |
There was a problem hiding this comment.
I'd suggest removing installOnly and replacing enable with install. That way people can choose to use their own cert-manager installation but still use the managedBy: cert-manager feature.
There was a problem hiding this comment.
If we remove the enable, what would the config file look like in the case I want to use my own installation? Because all other options are not mandatory.
There was a problem hiding this comment.
You would still need to specify the email if you want Garden to take care of it.
Nevermind. 🤦♂
There was a problem hiding this comment.
For semantic validation, e.g. "this is required if that other field is set, but otherwise not", we can add explicit checks and error messages in the configureProvider handler.
There was a problem hiding this comment.
Implemented that on the kubernetes.configureProvider
| The email which will be used for creating Let's Encrypt certificates: | ||
| if your certificates are being created by Garden this field is required.`) | ||
| .example("[email protected]"), | ||
| installOnly: joi.boolean() |
There was a problem hiding this comment.
I think it might be good, just for clarity, to add a few fields that don't actually do anything for now, but set the config structure and serve to document our coverage a bit better. My suggestion:
- Add an
acmeChallengeTypefield with the only option we support (e.g..allow("HTTP-01"). - Add an
issuerfield with just "acme" supported for now. - Add an
acmeServerfield with just "letsencrypt-staging" and "letsencrypt-prod" supported for now (as shorthands for the appropriate server URLs, and later we could support custom URLs).
10ko
force-pushed
the
cert-manager
branch
4 times, most recently
from
079a2b5 to
eabf8eb
Compare
10ko
changed the title
|
|
||
| The goal of this integration is to give you a head start when setting the TLS certificates for your project with cert-manager, providing an easy way for installation and some sensible defaults while allowing full control of the underlying configuration. | ||
|
|
||
| The goal of this integrations is NOT to be a wrapper around cert-manager, nor to allow a garden user to fully-customize certificates generation through Garden. |
There was a problem hiding this comment.
I think this is a little hard to digest. I suppose the point is that we don't aim to fully support all the features of cert-manager, but rather accommodate the most common use case, something to that effect?
There was a problem hiding this comment.
Yes, what I wanted to express is that cert-manager is there, we just make your life easier at the beginning but at the same time you won't get a full wrapper around. Your sentece express it better.
|
|
||
| ### Requirements | ||
|
|
||
| We assume you have been taking care of setting up your domain names and your networking configuration is in place and functioning correctly. |
There was a problem hiding this comment.
This could use more clarification. Specifically, we require you to have configured your DNS and routing so that the domains you will configure below are pointed to your ingress controller.
|
|
||
| ### Challenge Type | ||
|
|
||
| The challenge type currently supported is Let's Encrypt [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/). |
There was a problem hiding this comment.
On a second read, the flow in this section feels a little odd. I'd prefer to start the "Issuing your first certificate" section with what you're supposed to do + an example. Then we can elaborate with what's happening behind the scenes + the note on the limitations.
10ko
force-pushed
the
cert-manager
branch
2 times, most recently
from
32dec73 to
788c752
Compare
|
I've added a commit with some iteration on the docs. @eysi09 could you perhaps lend another pair of eyes on the docs+reference, and see if it all holds up? |
edvald
force-pushed
the
cert-manager
branch
2 times, most recently
from
bcbf756 to
d64a761
Compare
|
|
||
| ### Scope | ||
|
|
||
| This guide aims at outlining configuration and best practices when dealing with TLS certificates, cert-manager and Garden. |
There was a problem hiding this comment.
aims at outlining sounds a little weird. Why not just outlines?
|
|
||
| This guide aims at outlining configuration and best practices when dealing with TLS certificates, cert-manager and Garden. | ||
|
|
||
| When starting a new project or when maintaining your existing ones, dealing with the creation and renewal of certificates can easily become a very complex task. Many projects appeared in the last few years to help managing this complexity and one that stood out is [cert-manager](https://github.com/jetstack/cert-manager). |
There was a problem hiding this comment.
Many projects have appeared... (add have)
|
|
||
| When starting a new project or when maintaining your existing ones, dealing with the creation and renewal of certificates can easily become a very complex task. Many projects appeared in the last few years to help managing this complexity and one that stood out is [cert-manager](https://github.com/jetstack/cert-manager). | ||
|
|
||
| The goal of this integration is to give you a head start when setting the TLS certificates for your project with cert-manager, providing an easy way for installation and some sensible defaults while allowing full control of the underlying configuration. |
There was a problem hiding this comment.
The motivation behind this integration...
|
|
||
| When starting a new project or when maintaining your existing ones, dealing with the creation and renewal of certificates can easily become a very complex task. Many projects appeared in the last few years to help managing this complexity and one that stood out is [cert-manager](https://github.com/jetstack/cert-manager). | ||
|
|
||
| The goal of this integration is to give you a head start when setting the TLS certificates for your project with cert-manager, providing an easy way for installation and some sensible defaults while allowing full control of the underlying configuration. |
There was a problem hiding this comment.
full control over the underlying (over instead of of)
| The goal of this integration is to give you a head start when setting the TLS certificates for your project with cert-manager, providing an easy way for installation and some sensible defaults while allowing full control of the underlying configuration. | ||
| We don't aim to fully support all the features of cert-manager, but rather accommodate the most common use case while still allowing full control of the underlying setup. | ||
|
|
||
| Please read the defaults settings and configurations in each of the following sections. |
There was a problem hiding this comment.
Please read about the default settings (s/read the/read about the/, s/defaults/default).
Or maybe just:
You can read about the default settings and configurations...
| 1) cert-manager will create a ClusterIssuer in your cluster which will generate your certificate. | ||
| 2) It will then create a Certificate resource to request the TLS certificate. | ||
| 3) Cert-manager will then automatically spin up an nginx ingress to solve the HTTP-01 acmeChallenge. | ||
| 4) Once the challenge is solved the TLS certificate will be stored as a secret using the name/namespace specified above (eg. `cert-manager-example/tls-secret-for-certificate`) |
|
|
||
| ### ClusterIssuer vs Issuer | ||
|
|
||
| cert-manager have two different Certificate issuers: namespaced and cluster one. Garden will only create ClusterIssuers. |
|
|
||
| ### The certificate creation timeouts and garden terminates | ||
|
|
||
| > Please make sure your domain name is pointing at the right ip address. |
| Please find more info in the ["Issuing an ACME certificate using HTTP validation"](https://docs.cert-manager.io/en/release-0.11/tutorials/acme/http-validation.html#issuing-an-acme-certificate-using-http-validation) guide in the official cert-manager documentation. | ||
|
|
||
| --- | ||
| If have any issue, found a bug or something is not clear in the documentation, please don't hesitate opening a new [Github issue](https://github.com/garden-io/garden/issues/new?template=BUG_REPORT.md) or ask us any question in our [Slack channel](https://chat.garden.io/). |
|
|
||
| [providers](#providers) > [certManager](#providerscertmanager) > issuer | ||
|
|
||
| the type of issuer for the certificate. Currently only supporting ACME Let's Encrypt issuers. |
What this PR does / why we need it:
Implement the cert-manager integration. This will allow installation and configuration of Tls certificates through Garden.
Special notes for your reviewer:
NOTE: please merge after #1317
For this feature to work properly, it needs better "readiness" check for Pods. I implemented and reverted a basic check in favour of @edvald implementation in the "artifact PR".