Add support for Amazon Certificate Manager #333
Comments
jetstack-bot
added
the
kind/feature
|
Yes, but you can't download ACM certificates, because ACM won't give you the private key (right?). So this is not useful for Ingress's or in-cluster services. ACM is a different model from the CA, ACME / Let's Encrypt, and Vault models, since it doesn't actually let you have the certificate. There are a couple useful scenarios for ACM for k8s Services, but nothing useful for Ingress's or in-cluster services: 1) Auto-import to ACM. After 2) Issue ACM certificates for AWS Load Balancer Services. Both are well outside the scope of |
|
I had scenario 2 in mind. I don't need this functionality right now, I just heard about this service and figured I'd file an issue to see if there's interest for someone to implement such a thing. |
|
Thanks for the detailed breakdown of how ACM works @whereisaaron When considering (1), this falls under 'alternate delivery mechanisms' for cert-manager certificates. It's something I've considered before (when considering how cert delivery-to-the-pod can work). Depending on how ACM works (whether it always manages private keys for the user) it may also be related to #303. Right now, if a user wants to use cert-manager to issue certificates for ACM in this way, I'd advise they write a separate controller that watches secret resources and syncs appropriate ones to ACM (perhaps by annotation Certificate resources). This controller would then also upload those certificates to ACM if they change (e.g. after renewal by cert-manager). This solves the 'alternate delivery mechanism' issue by pushing it out of cert-manager core (i.e. it doesn't, we just decide to not support it). For (2), this again kind of falls under alternate delivery (as there is no delivery). Updating an annotation on a service does seem slightly arbitrary though, and I'm not sure if it should be cert-manager's responsibility. If anyone wants to try mocking up a proposal for this I'd be open to considering it, but it would need to touch on or at least consider how other delivery mechanisms may be implemented and expressed in future. |
|
The newly announced ACM Private may have just made this relevant to non-ELB usage cases. Should we create a separate issue for that, or is this one good enough? We'd actually be far more interested in the ACM Private->Kubernetes Secret usage case than for ELBs. |
ACM (not private)I'm not convinced that ELB "LoadBalancer" type services + ACM integration makes sense in this codebase. That seems much more like a kubernetes cloud-provider feature, or a separate extension to it. It just doesn't really match up with the existing cert-manager concepts well IMO. If it did end up in cert-manager, I think it would end up being a new resource type, a "CertificateStub", and that type would then be able to be referenced from certain other resources... but it really doesn't match the rest of what cert-manager does and has so many caveats that I don't think it's worth considering any time soon, if ever. ACM PrivateIf no one else wants to, I might pick up the work to make an ACM Private issuer since I do think ACM private is a good match for cert-manager based on a quick skim of that post. That looks quite handy and like it matches existing cert-manager concepts quite well. I'm fine with either a new issue or re-purposing this one to track it. |
|
👍 from a quick read of that ACM Private blog post, it seems like a perfect fit for a new Issuer type. I'd be happy to accept a PR that adds this functionality 😄 |
|
That said, we need to make sure the integration is properly tested. How do developers usually test things against AWS APIs to ensure they work? I notice there's an associated cost with running a private ACM, so I don't think we can feasibly create real private CAs for use in tests unless we can 'work around' this cost 😄 |
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
jetstack-bot
removed
the
lifecycle/stale
|
Was there any movement towards adding ACM Private CA support? |
|
I've not seen any PRs opened here for it!
…On Mon, 24 Sep 2018 at 02:38, Rafael Fonseca ***@***.***> wrote:
Was there any movement towards adding ACM Private CA support?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#333 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMbP6VyIjQCvEybbaMqothH_NVUtAM9ks5ueDeXgaJpZM4SO6ID>
.
|
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
jetstack-bot
removed
the
lifecycle/stale
munnerz
added
area/api
|
I'm going to take a crack at adding thing feature. I have a use case for ACM and having cert-manager handle the creation and rotation of certs would be awesome. |
|
Created a PR for ACM Private CA here #1391 Once that is merged I'll look into adding the non-private CA. I haven't used that one as much however so if someone else knows it better feel free to help out :) |
|
👍 for auto-import to ACM! This would work right with ALB IngressController! |
|
I really love to have this PR merged as soon as possible! Excellent! |
|
I misunderstood @rmb938's PR #1391. It is not to push Both are good ideas for |
|
Since this is being discussed in the PR comments, there is interest for ACM Private! I am one of the people looking forward to it. ACM Private is also a first step and would lead the way for ACM so I am very much in favor of it! |
|
Looking a little bit wider many clouds offer a Certificate Manager that tends to work tightly with their L7 load balancers:
Perhaps it's a good time to invent an interface for these cloud providers to implement their providers out of certmanager's tree? Similar to k8s CNIs and CSIs, just for Certificate issuing. Personal note, I haven't looked too far into it yet, but the new AWS ALB Ingress controller doesn't seem able to import certificates from the K8S cluster. My team has currently dropped into issuing certificates via terraform + ACM and then referencing the ARN in the Ingress annotation which is not fun. Perhaps I need to try again. |
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
|
Is there any progress on this issue? PR is submitted in April, now it is September already. The feature is more than welcome for many people. |
|
/remove-lifecycle rotten |
jetstack-bot
removed
the
lifecycle/rotten
|
For the time being, I don't think we're going to proceed with this in the main codebase so I'm going to close issue. If someone does want to implement this still, I'd suggest implementing it as an out of tree Issuer which are now supported by default from v0.11 onwards 😄 |
|
@munnerz is there any docs on out of tree issuers? I have a custom one I wrote targeting 0.6 and was going to submit a PR once I got it merged with master but out of tree makes more since because I suspect the company's CA product is not used by too many people. |
|
Any progress on this? |
|
I am just reviving this a bit.. the awspca-issuer project looks dead (I have started an issue at codingvirtues/awspca-issuer#5 to discuss). I would love to get some eyes on it though and see if we can revive it somewhere else so that it can be improved. Right now it is not quite production ready. |
|
ACM Private CA support for cert-manager is now available using the Private CA Kubernetes cert-manager plugin. With the plugin, you can use a highly-available, secure, managed Private CA as an issuer for your Kubernetes cluster. Learn more about the plugin: |
|
For the ones that land here looking for public certs in ACM, have a look at this: aws-controllers-k8s/community#482 |
|
does this work on NON EKS clusters? |
and others
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
Amazon Certificate Manager is another service that handles SSL certificates. Would be nice to add support for it for those who use AWS.
The text was updated successfully, but these errors were encountered: