Hitting let's encrypt rate limits for crownlabs.polito.it

[giorio94]

Currently, every ingress resource providing access to tenant VMs triggers the creation of a Certificate resource to fetch the certificate and fill the corresponding secret (through the cert-manager.io/cluster-issue annotation).

Although all ingresses point to the same domain (i.e. crownlabs.polito.it), the Order is nonetheless issued and the certificate request counts as a renewal. Hence, hitting let's encrypt rate limits (5 renewal per week per domain).

Apparently, this issue is not causing any visible problem right now (not sure why). Yet, it will break everything when the certificate will need to be renewed (the current one expires on June, 15th).

Possible solutions identified up to now:

1. Set-up kubed to automatically synchronize secrets between namespaces [1], [2]. This appears to be the solution suggested by cert-manager [3].
2. Set-up reflector to automatically synchronize secrets between namespaces [4]. It seems to include a cert-manager extension.
3. Configure a CronJob to copy the secret generated by one single Certificate to all tenant namespaces.
4. Configure the crownlabs.polito.it certificate as the default one in nginx. I would discard this solution since it does not work for different domains (e.g test).

Relevant cert-manager issue [5].

Any comments? Suggestions?

[palexster]

Hi @giorio94, this is a really nice analysis! Kubed and Reflector solutions seem equivalent to me and also the most appropriate. Surfing the documentation, kubed seems to be really easy to setup in particular because it leverages a namespaceSelector to select multiple namespaces instead of leveraging regular expressions (which I think it's more flexible in this case). The last two options seem a bit tricky to me (in particular the last one).

[giorio94]

Thanks @palexster. I do also believe that Kubed may be the best solution (and easiest to setup). If you agree, I can go ahead and give it a try.