Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Addon] add let's encrypt acme support to cert-manager #438

Merged
merged 13 commits into from
Aug 25, 2022

Conversation

charlie0129
Copy link
Member

@charlie0129 charlie0129 commented Aug 10, 2022

Signed-off-by: Charlie Chiang charlie_c_0129@outlook.com

Description of your changes

Add Let's Encrypt ACME support to cert-manager addon.

Now, we can:

  • Automatically get valid wildcard TLS certificates
  • Auto renewal

Limitations:

  • Currently only Cloudflare DNS is supported and tested.
  • Will only acquire wildcard certificates (*.example.com, exmaple.com), but this should be enough for most cases.

Fixes part of #368 , later I will make changes to the Traefik addon as will. So we can use these together to automatically create websites with valid TLS certificates.

Special Note:

The vela version requirement is marked as >=1.6.0-alpha.1 in this addon. This is because a special CUE feature called multiple comprehensions per list is required in this addon, which is only available in CUE v0.3 and later. The master branch of vela have CUE v0.4.4 (which will work fine), but vela v1.5.0 (our latest release) only have CUE v0.2.2, so I have to mark it as >=1.6.0-alpha.1 to prevent problems.

That's why the CI will fail (it is using v1.5.0, I have excluded this addon). But users can still install the last-compatible version of cert-manager (it is a automatic fallback), because the catalog is versioned.

Also fixed some CI problems:

  • refactored pending addon list to a file
  • remove unprintable characters in logs, to avoid cluttering

How has this code been tested?

Tested with Cloudflare DNS and successfully acquired a TLS certificate

Checklist

I have:

  • Title of the PR starts with type (e.g. [Addon] , [example] or [Doc]).
  • Updated/Added any relevant documentation and examples.
  • New addon should be put in experimental.
  • Update addon should modify the version in metadata.yaml to generate a new version.

Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
@charlie0129 charlie0129 marked this pull request as ready for review August 10, 2022 14:11
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
@charlie0129 charlie0129 changed the title [Addon] cert-manager tls acme [Addon] add let's encrypt acme support to cert-manager Aug 10, 2022
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
@charlie0129
Copy link
Member Author

let's hold this pr until v1.6.0-alpha.1 is released

Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com>
Copy link
Collaborator

@wonderflow wonderflow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hold until 1.6.0-alpha.1

wonderflow
wonderflow previously approved these changes Aug 24, 2022
@barnettZQG
Copy link
Collaborator

@charlie0129 How to use the ability provided by this addon? BTW, Is it easy to support Aliyun DNS?

@charlie0129
Copy link
Member Author

charlie0129 commented Aug 24, 2022

@charlie0129 How to use the ability provided by this addon?

Once this addon is setup (described in README), a Secret containing a valid TLS certificate will be available. Then this Secret can be added to Ingress (or anything can accept a certificate) to serve encrypted traffic.

I will put a tutorial (using cert-manager in together with traefik to serve HTTPS traffic) in README once I have time to work on it (I am a bit busy lately), so traefik addon will be updated later as well. This is just part of the whole process.

BTW, Is it easy to support Aliyun DNS?

Well, it may require a bit more work since Aliyun DNS is not officially supported. We need to run a additional 3rd-party webhook service to get it working (there is one available here). We can support this in the future.

@barnettZQG
Copy link
Collaborator

@charlie0129 How to use the ability provided by this addon?

Once this addon is setup (described in README), a Secret containing a valid TLS certificate will be available. Then this Secret can be added to Ingress (or anything can accept a certificate) to serve encrypted traffic.

I will put a tutorial (using cert-manager in together with traefik to serve HTTPS traffic) in README once I have time to work on it (I am a bit busy lately), so traefik addon will be updated later as well. This is just part of the whole process.

BTW, Is it easy to support Aliyun DNS?

Well, it may require a bit more work since Aliyun DNS is not officially supported. We need to run a additional 3rd-party webhook service to get it working (there is one available here). We can support this in the future.

So, does it only support one domain?

@charlie0129
Copy link
Member Author

charlie0129 commented Aug 24, 2022

So, does it only support one domain?

Right. Currently, one domain with all of its sub domains. That should fit most cases? Multiple domains can be supported. If it is much needed, I can support it in the future.

@barnettZQG
Copy link
Collaborator

So, does it only support one domain?

Right. Currently, one domain with all of its sub domains. That should fit most cases. We can support multiple domains if it is much needed.

It is very good if could support multiple domains. Users could create an integration config like the config-tls-certificate, but only need to provide the domain.

@charlie0129
Copy link
Member Author

support multiple domains

Sure, I put this feature request in #368 so I can keep track on it

wangyikewxgm
wangyikewxgm previously approved these changes Aug 24, 2022
Copy link
Collaborator

@wangyikewxgm wangyikewxgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work.

@charlie0129 charlie0129 dismissed stale reviews from wangyikewxgm and wonderflow via 07af190 August 24, 2022 13:44
@wangyikewxgm
Copy link
Collaborator

I think bumping up CI to 1.6.1-alpha1 will break some addon tests.

@charlie0129
Copy link
Member Author

I think bumping up CI to 1.6.1-alpha1 will break some addon tests.

Oh is it? I will revert it. I bump it because otherwise we cannot test cert-manager as it requires 1.6.0-alpha.1.

@wangyikewxgm
Copy link
Collaborator

I think bumping up CI to 1.6.1-alpha1 will break some addon tests.

Oh is it? I will revert it. I bump it because otherwise we cannot test cert-manager as it requires 1.6.0-alpha.1.

Yes, fluxcd addon cannot be enabled with 1.6.0 temporarily.

Copy link
Collaborator

@wangyikewxgm wangyikewxgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wangyikewxgm wangyikewxgm merged commit a263165 into kubevela:master Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants