search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.97k stars 306 forks source link

[Question] Custom CA - GA or Deprecated? #4596

Open TimJongerius opened 1 week ago

TimJongerius commented 1 week ago

We are currently leveraging the AKS Custom CA (Preview) feature to connect our AKS clusters with private, on-premise container registries (e.g., Nexus), which require custom Certificate Authorities (CAs). This is a crucial part of our setup, as we need to pull images from these private registries for compliance and security reasons.

Given that this feature has been in Preview for a significant period, we are concerned about its future, as we’ve heard rumors regarding its potential deprecation. The uncertainty around this is troubling, as many of our clients depend on this functionality for their production workloads.

Could you provide an update on the current state of the AKS Custom CA feature? Specifically:

What is the plan for this feature? Are there any timelines for it to reach General Availability (GA)?
What challenges are preventing it from moving out of Preview?
If deprecation is being considered, what alternatives should we explore to maintain the ability to connect AKS to private on-premise registries with custom CAs?

Our clients are eagerly waiting for a stable, supported solution, and any clarity you can provide would be greatly appreciated.

Best regards Tim Jongerius

jkroepke commented 1 week ago

Our clients are eagerly waiting for a stable, supported solution, and any clarity you can provide would be greatly appreciated.

Issue public certificates even for private endpoint is that best possible option that you can today.

TimJongerius commented 1 week ago

Our clients are eagerly waiting for a stable, supported solution, and any clarity you can provide would be greatly appreciated.

Issue public certificates even for private endpoint is that best possible option that you can today.

Sadly that is not under our control so we have to live with what is given to us.

UtheMan commented 1 week ago

Hi @TimJongerius , the work required for GA is currently ongoing. While we are still exploring different options for our final GA design, the feature will be brought to GA. There is no definitive ETA to share right now, but we are targeting Q1 2025 at this time.

Potential changes that are being considered is removal of the "after node creation" flow, only keeping the "before node boots up" way.

If you have any comments/thoughts on how the feature works today - please feel free to share here. Feedback is always welcome and very helpful as we finalize the design.