cert-manager icon indicating copy to clipboard operation
cert-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Adding custom annotation to cm ingress resources

Open guilhem opened this issue 10 months ago • 3 comments

Is your feature request related to a problem? Please describe.

All my ingress are protected with an oauth2-proxy. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#global-auth-url

But ACME challenge must be allowed with a custom annotation: nginx.ingress.kubernetes.io/enable-global-auth https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-external-authentication

Describe the solution you'd like

I should be able, like adding ClusterIssuer etc, to add arbitrary annotations to ingress ressources.

Describe alternatives you've considered

Using kyverno to patch ing ressource

ClusterPolicy 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-ingress-annotation
spec:
  rules:
    - name: annotate-ingress
      match:
        resources:
          kinds:
            - Ingress
          name: "cm-acme-http-solver-*"
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              nginx.ingress.kubernetes.io/enable-global-auth: "false"

Additional context

https://github.com/cert-manager/cert-manager/blob/d073db164834b772f54aeb7ff1539e1dac3ca992/pkg/issuer/acme/http/ingress.go#L152

/kind feature

guilhem avatar Apr 15 '24 12:04 guilhem

Hey I think you can use this flag on the cert-manager-controller, --auto-certificate-annotations strings?

      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])

I found this running the latest image:

docker run -ti --rm quay.io/jetstack/cert-manager-controller:v1.14.5 --help

I might have missread it, but perhaps give that a go to see if you can add multiple strings to that argument including the additional one you need?

--auto-certificate-annotations "kubernetes.io/tls-acme,nginx.ingress.kubernetes.io/enable-global-auth"

hawksight avatar May 08 '24 16:05 hawksight

To respond to myself, ingress-nginx have a dedicated option no-auth-locations to bypass location for specific locations, like /.well-known/acme-challenge (set by default).

guilhem avatar May 09 '24 09:05 guilhem

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale

cert-manager-bot avatar Aug 07 '24 10:08 cert-manager-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. /lifecycle rotten /remove-lifecycle stale

cert-manager-bot avatar Sep 06 '24 10:09 cert-manager-bot