-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create "Switching from kube-lego" user guide #136
Comments
@munnerz With the current Boulder implementation you'll want to follow the advice of draft-06 Section 7.3 and POST a new-reg request with the public key of the private key in question. If an account already exists there will be a conflict response with a Location header that contains the existing account URI. It's a little bit awkward because the only way to check if an account exists is to try and create it, so if it doesn't exist, it will after you check! Draft-07 cleans this up (See Section 7.3.1) by adding a Hope that helps! |
Ah excellent - this should mean we can offer a seamless transition to cert-manager, so long as the user has retained their private key 😄 It also means that we can accept arbitrary existing private keys/registrations from users if they want to start using cert-manager after they initially don't. The issue of "check or create" isn't such a problem for us right now. Thanks once again for the advice! |
Happy to help! |
@cpu I've been looking into implementing this in cert-manager, and have found a discrepancy between the spec listed on the draft, and with how the LE staging server (and I expect the prod one, although not checked) is behaving. Specifically:
On calls to Register, I'm actually seeing a
This seems odd? Is that an old draft of the specification? If so, the change in behaviour could definitely break some clients. That said, I've never known it to not return a 409 error. Worth noting that the Location header is set on the response to a registration request, but the status code is incorrect and the actual account resource is not included in the body of the response (although the spec doesn't specify that this should be the case, so maybe that's expected). |
@munnerz Apologies, I should have also linked to the Boulder divergences doc for this:
You can assume that won't change for the V1 API.
I believe that's expected 👍 |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Expand deployment docs, including docs on ingress-shim **What this PR does / why we need it**: Improves our documentation to further explain how Helm deployment works (including RBAC and extraArgs). It also adds a doc on ingress-shim - what it does, how it works, how to configure it and how to use it. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #256, fixes #257, fixes #136 **Release note**: ```release-note Improve deployment documentation ``` /cc @ahmetb
We should provide guides on how to switch from kube-lego to help users migrate their existing deployments.
I'm not 100% sure if kube-lego stores the ACME account URI anywhere once it has registered an account, and so far I've not been able to find any way to look up an existing registration URI for a private key.
We use this URI in order to check if an account is valid (here: https://github.com/jetstack-experimental/cert-manager/blob/master/pkg/issuer/acme/setup.go#L58).
@cpu do you have any advice how I can obtain a registration URI for a private key that is already registered with an ACME server?
/kind documentation
The text was updated successfully, but these errors were encountered: