search

ibotty / openshift-letsencrypt

MIT License
59 stars 31 forks source link

Handling secrets #19

Open jameseck opened 7 years ago

jameseck commented 7 years ago

I'm opening this issue to see how you feel about dealing with secrets as well as routes. An example use case that I have is postfix and dovecot deployments. There are no routes involved.

ibotty commented 7 years ago

Can you please clarify. Would you like to get certificates for non-web services? That's a great use case. Albeit it's a little limited in that openshift-letsencrypt only does http validation (... yet, although I have no plans to change that myself) and so DNS entries for postfix and dovecot have to point to openshift's load balancer.

I propose the following way. Create a dummy route for these deployments (not backed by any deployment) with an annotation, say, butter.sh/letsencrypt-crt-secret. openshift-letsencrypt would then get a certificate as usual but additionally store the certificate in the named secret.

I can see the following fundamental problem. There is no general way to notify the application on certificate changes. I have no Idea on how to do that without using a sidecar container for every service.

What do you think?

BTW: patches of course welcome, but even documenting the desired flow would be very appreciated!

jameseck commented 7 years ago

Yes that's exactly right, certs for non-web services. I think the http validation could still work for these since your pod is already able to create the route to handle the challenge. I'm not really a fan of handling DNS challenge either - there are too many different DNS providers with their own api (or no api) to handle. I hadn't thought about a dummy route, but this might not be desirable.

The notification of applications on certificate changes is an interesting point. I'm also not sure how to solve that problem, or whether it's just something that should be left up to the application to handle itself. Maybe an annotation on the dc/pod could be added so that the watcher/cron could use that annotation to redeploy the application on cert update.

I don't have all the answers yet, it's just a problem I've come across recently and thought it was worth raising for a discussion.

ibotty commented 7 years ago

What's the problem with a dummy route? I can't think of any problem.

Redeploying is a pretty big hammer though. I suspect one should just use a sidecar that sends a sighup. Would you like to give a shot at implementing storing in secrets? You might have a look at the git history of this repo, it contains most of the code already.