apisix-ingress-controller icon indicating copy to clipboard operation
apisix-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon apache

feat: As a user, I want to be able to specify a default SSL cert for ingress controller, so that k8s secret only needs to be created once

Open sebschlue opened this issue 2 years ago • 3 comments

Description

It is currently not clear to me if a default ssl cert can be specified.

This can be handy if the ingress controller is reponsible for a subdomain where a wildcard DNS entry and wildcard SSL cert exists, like *.bar.tld

When using regular ingress objects like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: foo
spec:
  ingressClassName: apisix
  tls:
  - hosts:
      - foo.bar.tld
    secretName: star-bar-tld-tls
  rules:
  - host: foo.bar.tld
    http:
      paths:
      - backend:
          service:
            name: bar-service
            port:
              number: 80
        path: /
        pathType: Prefix

the secret "star-bar-tld-tls" needs to be copied to all required namespaces as cross-namespace-references are not possible with traditional Ingress objects even though the "star" (wildcard) secret is identical in all namespaces.

But if it would be possible to specify a default SSL cert for whole ingress controller, then ingress object could be simplified to

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo
  namespace: foo
spec:
  ingressClassName: apisix
  rules:
  - host: foo.bar.tld
    http:
      paths:
      - backend:
          service:
            name: bar-service
            port:
              number: 80
        path: /
        pathType: Prefix

and the secret would not need to be copied.

ingress-nginx ingress controller supports this feature, but I did not find it explicitely mentioned in APISIX ingress controller docs, do I guess it is not directly supported.

sebschlue avatar Jun 30 '23 07:06 sebschlue

You only want to use Ingress resources instead of CRDs like ApisixRoute, right?

tao12345666333 avatar Jun 30 '23 12:06 tao12345666333

ApisixRoute works great for me, but I think there is a smiliar thing there: For each ApisixRoute object, a corresponding ApisixTLS object would be needed as well, even though the actual secret could be referenced cross-namespace.

So, given this example of *.bar.tld with wildcard DNS entry and wildcard SSL certificate, it would be great if I could either:

(a) completely omit creation ApisixTLS objects thus causing apisix ingress controller to just always use the global default SSL cert

(b) create only ONE ApisixTLS object that somehow specifies *.bar.tld as hostname, which I believe is not possible today

But of course this is just "nice to have", so just possible enhancement.

sebschlue avatar Jun 30 '23 12:06 sebschlue

@sebschlue did you find a solution ? I'm looking at apisix as a replacement for kong and i have a similar problem if i do a 1-to-1 conversion of my setup. I'm currently using reflector with cert-manager to copy all "default" certificates into all other namespaces where i deploy my workloads and ingresses. sometimes this gets stuck and it feels wrong :)

erSitzt avatar Jun 26 '24 08:06 erSitzt