Closed simu closed 2 years ago
The proposed fix in #22 implements option 1 described in the issue. We chose option 1 because it is simpler to configure for users, as it only requires users to ensure that component-kyverno is enabled on any clusters which use custom web console routes secured with Let's Encrypt certificates.
For option 2, we'd have to either replicate the self-registration logic on an acme-dns endpoint (cf. https://github.com/projectsyn/component-cert-manager/pull/42), or users would have to manually register a client and configure it in this component. Additionally, users would have to ensure that the _acme-challenge
DNS record exists for the custom console route.
Context
We implemented support for securing custom console routes with Let's Encrypt certificates requested by cert-manager in #9, cf. the implementation:
https://github.com/appuio/component-openshift4-console/blob/4c37a224a67447e494868ecde796366995b4c4f7/component/tls.libsonnet#L38-L54
However, by creating the
Certificate
resource in namespaceopenshift-config
we run into the issue that OpenShift doesn't admit the route/ingress for the HTTP01 solver, because a route using the same hostname already exists in namespaceopenshift-console
.After some research, I only see two possible workarounds::
Certificate
resource in namespaceopenshift-console
and copy certificate into namespaceopenshift-config
(e.g. with Kyverno, this creates a hard dependency for Kyverno on any OCP4 cluster which wants to use a custom console route with a Let's Encrypt certificate)Note that there appears to be no way to selectively allow sharing hostnames across namespaces, only the option to globally allow using hostnames across namespaces on an ingresscontroller, cf.
routeAdmission.namespaceOwnership.InterNamespaceAllowed
in https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress and https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-admission-policy_route-configuration, so we can't inform the ingress controller that in this specific case sharing the hostname between two namespaces is fine.Actual Behaviour
Custom certificate managed by cert-manager for OpenShift console can't be renewed (using HTTP01 challenge)
Expected Behaviour
Custom certificate managed by cert-manager for OpenShift console is renewed
Acceptance Criteria