contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

guides: Document "default cert" for Ingress with TLS Certificate Delegation

Open stevesloka opened this issue 5 years ago • 7 comments

Contour has had TLS Certificate Delegation for some time now. Folks will ask about the "default" certificate pattern that exists in other ingress controller and if Contour supports that.

Contour does support this today via the Cert Delegation feature. This works by telling Contour what cert you would like delegated to which namespace. Internally Contour keeps track of the certs and where they should exist.

Users can then reference a cert from their namespace without actually having it exist physically.

Here's an example of how this might work. We should write this up into a guide or docs somehow to make it clear how this could work:

apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
  name: example-com-wildcard
  namespace: projectcontour-roots
spec:
  delegations:
    - secretName: containerstevecom-tls-wild 
      targetNamespaces:
      - "*"
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tls-example-ingress
  namespace: default
spec:
  tls:
  - hosts:
    - containersteve.com
    secretName: projectcontour-roots/containerstevecom-tls-wild 
  rules:
    - host: containersteve.com
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx
            servicePort: 80

stevesloka avatar Apr 30 '20 20:04 stevesloka