Open luna-duclos opened 7 years ago
tazjin
commented
7 years ago @ensonic @munnerz My kubernetes-letsencrypt is slightly different in that it relies only on DNS challenges and not HTTP challenges.
If there is interest in basing these projects on a new ~TRP~ CRD it'd be cool if we could share that resource definition across multiple projects. I'm planning support for that in my project.
munnerz
commented
7 years ago I've been working on cert-manager quite a lot over the last few days, although not on a repo publicly right now (I'll get it opened up on github in the next few days) - I've decided to start again, and have based it heavily on custom resource definitions.
I've got some examples manifests together that I'm keen for people to look over, and have some of the functionality already required. I've heavily focused on flexibility, and am keen to not lock us into just acme as a certificate backend. You can look at the manifests here https://gist.github.com/munnerz/258d3bff69242e86a13a6ea307bbc418
Can I propose we use #kube-lego on the kubernetes slack team for development chat? It'd be good to have a less formal communication channel.
munnerz
commented
7 years ago I've updated my own repo with the new code I've been working on -
I managed to issue my first certificate with it yesterday! It's not ready yet, but I'm starting to now open some more specific feature-request issues, and would welcome everyone else to do the same! https://github.com/munnerz/cert-manager
Any feedback on structure etc. would be greatly appreciated!
munnerz
commented
7 years ago I've been working a fair bit more on this over the last couple of weeks, and have opened numerous issues against the repo in order to track progress/ask for feedback from the community.
Right now, cert-manager supports HTTP01 challenges for all ingress types (we are no longer tying ourselves to ingress controller implementations) as well as google clouddns and cloudflare dns providers. The DNS provider support comes from 'borrowing' each provider from xenolf/lego, with a couple of small changes to each provider. I have stuck with the golang acme package to implement the lego provider because although the xenolf/lego implementation works very well, it doesn't allow the flexibility that cert-manager requires (eg. it does not expose a mechanism to get an authorization URI so it can be reused).
I'm excited about the potential of cert-manager in the future, as it's no longer tied to ACME at all, and we should hopefully be able to implement additional Issuer types.
It's worth noting that cert-manager is still in a very early state, and is not ready yet! It needs extensive testing, as well as a test suite building up and feedback from early users.
Finally, the repo has moved to be under our jetstack-experimental organisation, although that should be evident as you'll be redirected when visiting mine :smile: https://github.com/jetstack-experimental/cert-manager.
munnerz
commented
7 years ago Hello again!
I've been making a lot of progress with cert-manager and now have built out a small e2e test suite, much better logging support (using k8s events), initial support for a plain 'ca' based issuer, ACME HTTP01 and DNS01 challenge support, as well as quite a few other features!
I've got a number of quite core decisions to make over the spec of the Certificate resource (ie. https://github.com/jetstack-experimental/cert-manager/issues/86, https://github.com/jetstack-experimental/cert-manager/issues/85) that I'd like to get a bit more consensus on.
If anyone has any views to add to this, be it just a +1 or a -1, I'd really appreciate your time!
I've created an issue over in the cert-manager repository for the meeting. Provisionally I've said Mon 18th September @ 2pm UTC, however please comment on the issue if this time doesn't work for you and you'd like to attend! https://github.com/jetstack-experimental/cert-manager/issues/89
Ofcourse, moving the repo would break people's links, which I want to avoid. This issue is advanced notice that this will happen in a few months, at which point this repo will be emptied and replaced with a single README.md pointing to the new location. Is this ok for everyone ? If there are any issues with this plan, please let me know.