-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Addon] add let's encrypt acme support to cert-manager #438
Conversation
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
let's hold this pr until v1.6.0-alpha.1 is released |
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hold until 1.6.0-alpha.1
@charlie0129 How to use the ability provided by this addon? BTW, Is it easy to support Aliyun DNS? |
Once this addon is setup (described in README), a Secret containing a valid TLS certificate will be available. Then this Secret can be added to Ingress (or anything can accept a certificate) to serve encrypted traffic. I will put a tutorial (using cert-manager in together with traefik to serve HTTPS traffic) in README once I have time to work on it (I am a bit busy lately), so traefik addon will be updated later as well. This is just part of the whole process.
Well, it may require a bit more work since Aliyun DNS is not officially supported. We need to run a additional 3rd-party webhook service to get it working (there is one available here). We can support this in the future. |
So, does it only support one domain? |
Right. Currently, one domain with all of its sub domains. That should fit most cases? Multiple domains can be supported. If it is much needed, I can support it in the future. |
It is very good if could support multiple domains. Users could create an integration config like the |
Sure, I put this feature request in #368 so I can keep track on it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work.
07af190
I think bumping up CI to |
Oh is it? I will revert it. I bump it because otherwise we cannot test |
07af190
to
57daab8
Compare
Yes, fluxcd addon cannot be enabled with 1.6.0 temporarily. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Charlie Chiang charlie_c_0129@outlook.com
Description of your changes
Add Let's Encrypt ACME support to cert-manager addon.
Now, we can:
Limitations:
Fixes part of #368 , later I will make changes to the Traefik addon as will. So we can use these together to automatically create websites with valid TLS certificates.
Special Note:
The vela version requirement is marked as
>=1.6.0-alpha.1
in this addon. This is because a special CUE feature calledmultiple comprehensions per list
is required in this addon, which is only available in CUEv0.3
and later. The master branch of vela have CUEv0.4.4
(which will work fine), but velav1.5.0
(our latest release) only have CUEv0.2.2
, so I have to mark it as>=1.6.0-alpha.1
to prevent problems.That's why the CI will fail (it is using
v1.5.0
, I have excluded this addon). But users can still install the last-compatible version of cert-manager (it is a automatic fallback), because the catalog is versioned.Also fixed some CI problems:
How has this code been tested?
Tested with Cloudflare DNS and successfully acquired a TLS certificate
Checklist
I have:
[Addon]
,[example]
or[Doc]
).version
inmetadata.yaml
to generate a new version.