search

redhat-cop / cert-utils-operator

Set of functionalities around certificates packaged in a Kubernetes operator
Apache License 2.0
95 stars 35 forks source link

Populating route certificates from secrets in another namespace #85

Closed Bjornej closed 3 years ago

Bjornej commented 3 years ago

Hi, I was looking trough the documentation to setup cert manager with let's encrypt on a openshift cluster and I came across this operator. I have a situation where I need to create a wildcard Let's encrypt certificate and use it in routes defined in 4-5 namespaces.

I saw that the annotationcert-utils-operator.redhat-cop.io/certs-from-secret: "<secret-name>" can load from a secret and that functionality works very well but cannot load the secret from another namespace as it assumes it to be in the same namespace as the route,

I saw that this is possibile for the annotation cert-utils-operator.redhat-cop.io/injectca-from-secret: <secret namespace>/<secret name>.

Is this a limitation or a necessary choice due to the way kubernetes work or the operator could be modified to allow it to specify a namespace for the secrets?

raffaelespazzoli commented 3 years ago

The design to not allow you to load certificates from another namespace is for security reason. CA bundles are public info, so it's ok to do cross namespace look-ups.

Bjornej commented 3 years ago

So the recommended solution in this case is to create separate secrets in every namespace with the wildcard certificate and sync them in some way (cronjob, etc..) ?

raffaelespazzoli commented 3 years ago

my recommended solution is described here: https://www.openshift.com/blog/self-serviced-end-to-end-encryption-for-kubernetes-applications-part-2-a-practical-example

This is a rather old article and the automation may not work anymore, but the concepts are still valid.

On Mon, Feb 8, 2021 at 9:10 AM Paolo Nicodemo notifications@github.com wrote:

So the recommended solution in this case is to create separate secrets in every namespace with the wildcard certificate and sync them in some way (cronjob, etc..) ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/redhat-cop/cert-utils-operator/issues/85#issuecomment-775176016, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPERXFV54CQTKY4UKKCGSTS57WEBANCNFSM4XI6LDLQ .

-- ciao/bye Raffaele