jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Added a sanity check before submitting CSR #220

Closed farcaller closed 6 years ago

farcaller commented 7 years ago

This PR adds a sanity check for k8sExtensions.IngressTLS resource. If the resource is malformed, no attempt to request a certificate would be made.

Here's an example of bad tls:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - test.example
  - secretName: test-tls
  rules:
  - host: test.example
    http:
      paths:
      - path: /
        backend:
          serviceName: test
          servicePort: 80

Notice that secretName has a typo in front of it.

Such a yaml would be gladly accepted by k8s (which is a k8s problem, surely), but kube-lego makes it worse by first requesting and obtaining a certificate and then failing to store it anywhere.

nakato commented 7 years ago

This seems like a good idea to me. I have made this mistake in my ingresses before.

I'd like to see this check in kube-lego.

munnerz commented 7 years ago

Just the one comment, otherwise LGTM!

simonswine commented 6 years ago

Thanks for your PR and sorry for the long wait