Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: Documentation of useage with ingress annotations #267

Closed
marcokuznik opened this issue Apr 28, 2023 · 2 comments
Closed

[Feature Request]: Documentation of useage with ingress annotations #267

marcokuznik opened this issue Apr 28, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@marcokuznik
Copy link

marcokuznik commented Apr 28, 2023
edited

Describe why this change is needed

Hello aws-privateca-issier team,

I tried to use aws-privateca-issuer with annotations of ingress resources, but didn't find a documentation how to apply the appotations to issue certificates automatically.

I configured my issuer as follows:

  • apiVersion: awspca.cert-manager.io/v1beta1
    metadata:
    annotations:
    name: my-root-ca
    kind: AWSPCAClusterIssuer
    spec:
    arn: arn:aws:acm-pca:eu-central-1:XXXXXX:certificate-authority/XXXXXX
    region: eu-central-1

I used following annotations in the ingress ressource:
cert-manager.io/cluster-issuer: my-root-ca

But no certificate is issued. When i create the certificatate and ingress ressources manually the the cluster gets the tls certificate provisioned by the private acm and everything is fine but with annotations I was not able to issue certificates.

Can you give me advice how to annotate the ingress to issue certificates automatically? Cert-manager annotation documentation has a view references to aws-privateca-issuer, but it is not clear how to use them.

using cert-manager version 1.11.0 and aws-privateca-issuer 1.2.4

Can you provide some documentation or any advices to make this work?

best regards,
Marco

Describe solutions and alternatives considered (optional)

No response

Is there anything else you would like to add?

No response
@marcokuznik marcokuznik added the enhancement New feature or request label Apr 28, 2023
@KyleBS
Copy link
Collaborator

KyleBS commented Apr 28, 2023

Hi @marcokuznik the issue you are describing looks like the same problem that was encountered in #252 - as part of that we discovered that the annotation you need to use is cert-manager.io/issuer instead of cert-manager.io/cluster-issuer

e.g.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: pca-cluster-issuer-rsa # bit weird to specify issuer instead of cluster-issuer here
    cert-manager.io/issuer-kind: AWSPCAClusterIssuer
    cert-manager.io/issuer-group: awspca.cert-manager.io
  name: my-ingress-issuer-test
  namespace: aws-privateca-issuer
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls:
  - hosts:
    - example.com
    secretName: myingress-issuer-cert

Documentation around the use of these annotations correctly can be found at https://cert-manager.io/docs/usage/ingress/ including details around the intended use cases for cert-manager.io/issuer vscert-manager.io/cluster-issuer.

Kyle

@divyansh-gupta
Copy link
Collaborator

Updated the README to describe this issue and how to resolve it.

Resolving this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KyleBS @divyansh-gupta @marcokuznik