search

cert-manager / cert-manager

Automatically provision and manage TLS certificates in Kubernetes
https://cert-manager.io
Apache License 2.0
12.1k stars 2.09k forks source link

Adding custom annotation to cm ingress resources #6903

Closed guilhem closed 3 weeks ago

guilhem commented 6 months ago

Is your feature request related to a problem? Please describe.

All my ingress are protected with an oauth2-proxy. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#global-auth-url

But ACME challenge must be allowed with a custom annotation: nginx.ingress.kubernetes.io/enable-global-auth https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-external-authentication

Describe the solution you'd like

I should be able, like adding ClusterIssuer etc, to add arbitrary annotations to ingress ressources.

Describe alternatives you've considered

Using kyverno to patch ing ressource

ClusterPolicy ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-ingress-annotation spec: rules: - name: annotate-ingress match: resources: kinds: - Ingress name: "cm-acme-http-solver-*" mutate: patchStrategicMerge: metadata: annotations: nginx.ingress.kubernetes.io/enable-global-auth: "false" ```

Additional context

https://github.com/cert-manager/cert-manager/blob/d073db164834b772f54aeb7ff1539e1dac3ca992/pkg/issuer/acme/http/ingress.go#L152

/kind feature

hawksight commented 5 months ago

Hey I think you can use this flag on the cert-manager-controller, --auto-certificate-annotations strings?

      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])

I found this running the latest image:

docker run -ti --rm quay.io/jetstack/cert-manager-controller:v1.14.5 --help

I might have missread it, but perhaps give that a go to see if you can add multiple strings to that argument including the additional one you need?

--auto-certificate-annotations "kubernetes.io/tls-acme,nginx.ingress.kubernetes.io/enable-global-auth"
guilhem commented 5 months ago

To respond to myself, ingress-nginx have a dedicated option no-auth-locations to bypass location for specific locations, like /.well-known/acme-challenge (set by default).

cert-manager-bot commented 2 months ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale

cert-manager-bot commented 1 month ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. /lifecycle rotten /remove-lifecycle stale

cert-manager-bot commented 3 weeks ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten. /close

cert-manager-prow[bot] commented 3 weeks ago

@cert-manager-bot: Closing this issue.

In response to [this](https://github.com/cert-manager/cert-manager/issues/6903#issuecomment-2395402180): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.