Open stefanlay opened 3 years ago
cf-gitbot
commented
3 years ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/176495912
The labels on this github issue will be updated when the story is started.
drpdishant
commented
3 years ago Is your feature request related to a problem? Please describe. A CF user wants to create an own domain in CF org and to push applications to this domain. Routes to such applications cannot be used currently because the ingress can only route traffic to hosts in domains configured in Istio, and in case of HTTPS, there is no TLS certificate for this domain.
Describe the solution you'd like The user should be able to configure ingress and TLS certificate for such a domain using the command line. No access to the underlying k8s cluster should be required. The certificate may be managed by a certificate manager in the cluster or provided by the user.
Additional context A solution proposal document is available here.
I believe the development team has that in upcoming plans, for now I have been using cf-for-k8s for development environments, and using pre generated wildcard certificates for the apps and system domains.
The challenges with adding custom domains along with certificate is that it would require a wildcard certificate which requires DNS validation, and automating it will require sdk integration for DNS vendors.
This is for the cloudfoundry development team, the current architecture routes the traffic through a single ingress resource which is created and configured during the deployment of cf. We can keep the main one for wild card routing for apps and system domain, that are auto generated. Incase of a custom domain user is already able to add that and attach a route to the application, we need to configure cert-manager, via cf-values or manually and create a letsencrypt cluster issuer. Till the route is attached, whether via manifest or via cf cli, it stays in the controllers database, when the app is deployed, the controller should create an ingress resource for the same if the domain is not part of the system or app, with cluster issuer annotations, host and path configurations, backend service and secret. This being applicable to nginx/istio.
Other thing we can do is have traefik ingress controller for routing the custom domains, just map the dns to NLB of traefik and it automatically gets certs and uses it to provide a secure connection.
Is your feature request related to a problem? Please describe. A CF user wants to create an own domain in CF org and to push applications to this domain. Routes to such applications cannot be used currently because the ingress can only route traffic to hosts in domains configured in Istio, and in case of HTTPS, there is no TLS certificate for this domain.
Describe the solution you'd like The user should be able to configure ingress and TLS certificate for such a domain using the command line. No access to the underlying k8s cluster should be required. The certificate may be managed by a certificate manager in the cluster or provided by the user.
Additional context A solution proposal document is available here.