fiaas-deploy-daemon icon indicating copy to clipboard operation
fiaas-deploy-daemon copied to clipboard

Published 20 hours ago verified publisher icon fiaas

Add support for disabling use of TLS per domain suffix

Open cha7ri opened this issue 3 years ago • 2 comments

Context:

We have clusters with two ingress controllers:

  • Public ingress controller using the domain example.com
  • Private ingress controller using the doamin private.example.com

What we want to achieve?

  • Use letsencrypt to issue certificates for example.com
  • Disable tls for private.example.com

Solution:

  • Set use-ingress-tls to default_on to enable tls by default for all ingresses
  • Add a new config option to FIAAS to disable tls for one or many domains. example tls-certificate-issuer-disable-for-domain-suffixes=private.example.com

What will change:

  • Group hosts that we want to disable tls for together in one ingress resource (if the user doesn't set annotations).
  • Do not add kubernetes.io/tls-acme: true or cert-manager.io/cluster-issuer: nameOfClusterIssuer annotation to the ingress resource.
  • This will tell cert-manager to not create a certificate for those hosts

cha7ri avatar Nov 15 '21 20:11 cha7ri

/sem-approve

oyvindio avatar Jan 06 '22 09:01 oyvindio

Any expected timeline for when this is to be merged? :)

arealmaas avatar Jun 29 '22 11:06 arealmaas