wildcard certificat - Githubissues

vexxhost / atmosphere

Simple & easy private cloud platform featuring VMs, Kubernetes & bare-metal

100 stars 28 forks source link

wildcard certificat #206

Closed mpiscaer closed 1 year ago

mpiscaer commented 1 year ago

I would like to use a wildcard certificate to have all the service running.

https://identity.openstack.domain.tld/v3 -> keystone
https://image.openstack.domain.tld/ -> Glance
https://openstack.domain.tld/ -> Horzion

mnaser commented 1 year ago

This can be done by creating a secret and overriding openstack_helm_ingress_secret_name:

https://github.com/vexxhost/atmosphere/blob/f3f59a7e17dfa057cd6fbf6d0b3b39a0d931e754/roles/openstack_helm_ingress/defaults/main.yml#L16-L21

mpiscaer commented 1 year ago

I created a secret with kubectl -n openstack create secret tls cert-tls --key="tls.key" --cert="tls.crt" and changed openstack_helm_ingress_secret_name: cert-tls

After running the playbooks the system deletes and recreates a new secret.

okozachenko1203 commented 1 year ago

https://github.com/vexxhost/atmosphere/blob/223eb5bf031b30152b8972caf137cc58c8ee45fe/roles/openstack_helm_ingress/vars/main.yml#L16

All ingresses have explicit issuer spec in their annotation regardless of certificate type. It will trigger certificate issue on cert-manager side and user's custom wildcard cert secret is overridden by generated one.

Need to make that annotation configurable.

mnaser commented 1 year ago

this is now possible by using this:

https://github.com/vexxhost/atmosphere/blob/a5902dd42117b273cec41ef1be2e12d0279ff817/roles/openstack_helm_ingress/README.md