search

cert-manager / aws-privateca-issuer

Addon for cert-manager that issues certificates using AWS ACM PCA.
Apache License 2.0
185 stars 77 forks source link

[Feature Request]: Documentation of useage with ingress annotations #267

Closed marcokuznik closed 1 year ago

marcokuznik commented 1 year ago

Describe why this change is needed

Hello aws-privateca-issier team,

I tried to use aws-privateca-issuer with annotations of ingress resources, but didn't find a documentation how to apply the appotations to issue certificates automatically.

I configured my issuer as follows:

I used following annotations in the ingress ressource: cert-manager.io/cluster-issuer: my-root-ca

But no certificate is issued. When i create the certificatate and ingress ressources manually the the cluster gets the tls certificate provisioned by the private acm and everything is fine but with annotations I was not able to issue certificates.

Can you give me advice how to annotate the ingress to issue certificates automatically? Cert-manager annotation documentation has a view references to aws-privateca-issuer, but it is not clear how to use them.

using cert-manager version 1.11.0 and aws-privateca-issuer 1.2.4

Can you provide some documentation or any advices to make this work?

best regards, Marco

Describe solutions and alternatives considered (optional)

No response

Is there anything else you would like to add?

No response

KyleBS commented 1 year ago

Hi @marcokuznik the issue you are describing looks like the same problem that was encountered in https://github.com/cert-manager/aws-privateca-issuer/issues/252 - as part of that we discovered that the annotation you need to use is cert-manager.io/issuer instead of cert-manager.io/cluster-issuer

e.g.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: pca-cluster-issuer-rsa # bit weird to specify issuer instead of cluster-issuer here
    cert-manager.io/issuer-kind: AWSPCAClusterIssuer
    cert-manager.io/issuer-group: awspca.cert-manager.io
  name: my-ingress-issuer-test
  namespace: aws-privateca-issuer
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls:
  - hosts:
    - example.com
    secretName: myingress-issuer-cert

Documentation around the use of these annotations correctly can be found at https://cert-manager.io/docs/usage/ingress/ including details around the intended use cases for cert-manager.io/issuer vscert-manager.io/cluster-issuer.

Kyle

divyansh-gupta commented 1 year ago

Updated the README to describe this issue and how to resolve it.

Resolving this issue.