Automatically populating route certificates using cert-manager

[jakexks]

Hi there!

We've had several users ask for support for OpenShift Route support in cert-manager, e.g.: https://github.com/jetstack/cert-manager/issues/1064.

While we are unwilling to add support for other CRDs directly into cert-manager, as that opens a maintenance can of worms; if we added OpenShift routes, why not Istio VirtualServices, Ambassador Mappings, ..., we are willing to write the code somewhere.

This operator seems widely used to get certificates into routes. Would you be willing to accept a PR to the route_controller that would create and renew certificates by creating cert-manager CertificateRequests?

[raffaelespazzoli]

@jakexks thanks for reaching out. Let me see I understand the proposal. The controller would look at an annotation and, if present, it would create a CertificateRequest (not a Certificate). This way the cert material would not be stored in a secret and then injected into the route, but it would be directly stored in the route. Is that the intention? If so, I recommend creating a separate controller dedicated for this. It's OK to have two controllers that watch the same type. Also this controller activation will have to be conditional to the existence of the cert manager CRDs. That said I'd be happy to get a PR for this.

[jakexks]

Yes, you've understood this correctly. Not having to use an intermediate secret would add some value over the existing secret -> route sync controller, and was a request from a Jetstack customer.

I have some WIP code so I will refactor it into a second controller, only activated if the cert-manager CRDs are present and create a PR for it.

[lechuk47]

@jakexks Hi, I'm interested in this feature as well. Can I somehow help you to get this done?

[nate-duke]

@lechuk47 work seems to be moving along on this recently over in cert-manager/openshift-routes.