Closed dkulchinsky closed 3 years ago
To be more specific, we're using cert-manager (https://cert-manager.io/) to Issue Let's Encrypt certificates, so cert-manager will populate the ou-tls-certificate
secret with the Certs from Let's Encrypt, but how to ensure the operator is not going to override it?
maybe we need to remove this section from the OpenUnison
manifest?
- create_data:
ca_cert: true
key_size: 2048
server_name: {{ .Values.network.openunison_host }}
sign_by_k8s_ca: false
subject_alternative_names:
- {{ .Values.network.dashboard_host }}
{{ if eq .Values.enable_impersonation true }}
- {{ .Values.network.api_server_host }}
{{ end }}
import_into_ks: certificate
name: unison-ca
tls_secret_name: ou-tls-certificate
this is a reasonable request.
maybe we need to remove this section from the OpenUnison manifest?
Precisely
great 👍 I'll try that, but I think we're also missing the ability to add an annotation to the ingress:
cert-manager.io/issuer: "letsencrypt-staging"
if I update the ingress manually, will the operator change it back?
if I update the ingress manually, will the operator change it back?
No. The other option is to create a Certificate
object so you don't need to add the annotation
Just managed to glue this together 😄
ou-tls-certificate
create_data
block from orchestra
I guess my only ask is to be able to add custom annotations to the generated ingress
resource 🙏
This method is preferred because it ensures cert-manager keeps track of all the ingresses and updates them accordingly.
I worked around point (2) above by creating a cert-manager Certificate
resource that populates it in a secret that the Ingress then consumes, this seems to work well.
Our next release of the operator supports adding annotations to the ingress definition. we'll also support disabling the creation of ou-tls-certificate
ohh, wonderful! can't wait for the next release 😄
Annotations are now supported on the Ingress
from the Helm chart
I've reviewed the steps described here https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#how-do-i-change-openunisons-certificates to replace the self-signed certificate with a custom one, but is it possible to do it as part of the installation to avoid extra steps?
specifically, we're using the helm chart to deploy this orchestra plugin.
Thanks!