appuio / component-openshift4-console

Commodore component to manage the console on OpenShift 4
BSD 3-Clause "New" or "Revised" License
2 stars 0 forks source link

Custom cert-manager certificates can't be renewed #21

Closed simu closed 2 years ago

simu commented 2 years ago

Context

We implemented support for securing custom console routes with Let's Encrypt certificates requested by cert-manager in #9, cf. the implementation:

https://github.com/appuio/component-openshift4-console/blob/4c37a224a67447e494868ecde796366995b4c4f7/component/tls.libsonnet#L38-L54

However, by creating the Certificate resource in namespace openshift-config we run into the issue that OpenShift doesn't admit the route/ingress for the HTTP01 solver, because a route using the same hostname already exists in namespace openshift-console.

After some research, I only see two possible workarounds::

  1. Create Certificate resource in namespace openshift-console and copy certificate into namespace openshift-config (e.g. with Kyverno, this creates a hard dependency for Kyverno on any OCP4 cluster which wants to use a custom console route with a Let's Encrypt certificate)
  2. Use DNS01 challenge with an acme-dns client and issuer configured by the component. This would mean that setting up a custom Let's Encrypt certificate for the console would require configuring additional DNS records for the cluster.

Note that there appears to be no way to selectively allow sharing hostnames across namespaces, only the option to globally allow using hostnames across namespaces on an ingresscontroller, cf. routeAdmission.namespaceOwnership.InterNamespaceAllowed in https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress and https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-admission-policy_route-configuration, so we can't inform the ingress controller that in this specific case sharing the hostname between two namespaces is fine.

Actual Behaviour

Custom certificate managed by cert-manager for OpenShift console can't be renewed (using HTTP01 challenge)

Expected Behaviour

Custom certificate managed by cert-manager for OpenShift console is renewed

Acceptance Criteria

simu commented 2 years ago

The proposed fix in #22 implements option 1 described in the issue. We chose option 1 because it is simpler to configure for users, as it only requires users to ensure that component-kyverno is enabled on any clusters which use custom web console routes secured with Let's Encrypt certificates.

For option 2, we'd have to either replicate the self-registration logic on an acme-dns endpoint (cf. https://github.com/projectsyn/component-cert-manager/pull/42), or users would have to manually register a client and configure it in this component. Additionally, users would have to ensure that the _acme-challenge DNS record exists for the custom console route.