Enable creation of cert-manager ClusterIssuer with multiple solvers

sherif-fanous commented 1 year ago

Is your feature request related to a problem?

Currently the cert-manager chart allows only one solver to be configured per ClusterIssuer.

This presents an issue for owners of multiple domains that are hosted by either different providers or by the same provider but using different accounts.

This limitation means that it is currently not possible to use a certificate with multiple SANs spanning across more than 1 domain when setting up an ingress unless both domain are hosted by the same provider and are in the same account.

For example in my situation I own 2 domains, 1 hosted by Cloudflare and the other hosted by Route53.

Describe the solution you'd like

The Type or DNS-Provider in the cert-manager chart should be an array where one can specify 1+ solvers within the same ClusterIssuer resulting in a manifest similar to the following

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    meta.helm.sh/release-name: cert-manager
    meta.helm.sh/release-namespace: ix-cert-manager
  labels:
    app.kubernetes.io/managed-by: Helm
  name: letsencrypt-production-issuer
spec:
  acme:
    email: me@example.com
    privateKeySecretRef:
      name: letsencrypt-production-issuer-acme-clusterissuer-account-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - selector:
          dnsZones:
            - <domain_1> # domain managed by this solver. e.g. example.com
        dns01:
          cloudflare:
            apiTokenSecretRef:
              key: cf-api-token
              name: letsencrypt-production-issuer-clusterissuer-secret
            email: me@example.com
      - selector:
          dnsZones:
            - <domain_2> # domain managed by this solver. e.g. example2.com
        dns01:
          route53:
            accessKeyID: <access_key_id>
            region: <region>
            secretAccessKeySecretRef:
              key: route53-secret-access-key
              name: letsencrypt-production-issuer-clusterissuer-secret

Describe alternatives you've considered

Create 2 separate ClusterIssuers, 1 for each domain.

The problem is that when configuring ingress it is not possible to specify multiple ClusterIssuers..

Additional context

No response

I've read and agree with the following

[X] I've checked all open and closed issues and my request is not there.
[X] I've checked all open and closed pull requests and my request is not there.

PrivatePuffin commented 1 year ago

The problem is that when configuring ingress it is not possible to specify multiple ClusterIssuers.

We have chosen not to overcomplicate the chart design on purpose. However, the anove premise is inherently false. We’ve provided the option for multiple certificates for different domains under the “tls” section.

Im going to leave this issue as-is, meaning it wont be implemented by maintainers and PR’s without backwards compatability wont be accepted at all.

PrivatePuffin commented 1 year ago

Ive removed the ingress bug report that was sneaked into this issue as well.

Also additional ingress (functional or not) should not be used for this. Tls section should.

PrivatePuffin commented 8 months ago

If you want to expedite this enhancement, please consider putting a bounty on it here:

https://opencollective.com/truecharts-bounties/contribute/place-bounty-72003

truecharts / public