New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review of API schema #51
Comments
Currently For example, dns providers will often be set up to only work for names under a single subdomain (e.g. the route53 provider, having the credentials to a single zone) It's more burden on users if they have to select a specific issuer. Instead could the system figure it out? (e.g. if the Along similar lines, if |
Hey @mikebryant - sorry this message slipped through my inbox. So right now, no it's not possible. It is something that I want to support however, it's just the details of how we do it that are complex. This is a blocker for #19, unless we start exposing more API surface through Ingress annotations. Open questions:
I'm personally not a huge fan of Issuers specifying lists of supported domains. It feels like it's over-complicated for provisioning an Issuer, and isn't applicable in all cases (think: ACME HTTP01). It's also further tied to the providers specific config. e.g. the supported domains are actually on a per-challenge provider basis in ACME, which is specific to ACME itself. |
I would be happy to leave the complicated semantics like policy based on lists of domains out etc. If we leave open the possibility to do the autoconfiguration by initializers, that would let anyone with such needs sort it out themselves, without needing to fork or reimplement all the certificate managing stuff. My use-case is just to have a single default Issuer per cluster, with a single root domain that everything will be subdomains off. But I do want to avoid needing that configuration in the |
@mikebryant I've created #97 to track adding a default annotation to Issuers (and supporting Initializer for Certificate resources). I like the idea of a simple solution regarding picking a challenge provider - I think it'd be great if we didn't require all the extra config, especially in single-Issuer, single-config scenarios. The only edge-case I can see here, is that right now, all ACME issuers are 'configured' for solving HTTP01 challenges (as there's no configuration required). This means it'd be impossible to create a default issuer that always uses DNS01. If we require a user specify +1 for leaving policy stuff out for now. Perhaps in future we can provide a some built in initializers for policy that can be enabled by advanced users. |
I would prefer to be explicit. So definitely +1 on requiring it to be specified to be enabled with I wouldn't have thought it would be hugely confusing for users, if that's one of the default examples. My expectation would be someone starts using the project by copying and pasting an example |
@mikebryant We could consider having http-01 as a default only if no other method is defined, but I think that'd cause more confusion if http-01 disappeared as soon as another method was added (for example, after http-01 had already been used for a while for obtaining certs). So yeah I agree with being explicit in the methods you want to enable |
I've opened #115 which adds the functionality that @mikebryant and @dippynark have described. Once merged, an ACME Issuer will require some config on it in order to start issuing certificates. The docs/examples need updating correspondingly. Unfortunately we don't currently have test coverage on this part of the codebase, but post-0.0.1 I'm going to work on getting Boulder running for tests so we can properly test out the ACME provider. |
I'm going to close this issue off once #118 is closed as that's the final API change for this release at least. We should spend some time getting used to the new schema, and we can re-open discussions in a new issue if we need to address anything next time around. |
Right now our API schema is relatively flexible. We only define a single external version, v1alpha1, and we give no guarantees on the stability of this API.
Now that we're at a point where the project does function, we should review our schema to make sure it's consistent and makes sense. This specifically relates to the 'Issuer' and 'Certificate' resource type.
An example for ACME can be found here: https://github.com/jetstack-experimental/cert-manager/blob/master/docs/acme-cert.yaml and here: https://github.com/jetstack-experimental/cert-manager/blob/master/docs/acme-issuer.yaml. The full type definitions can be found in types.go.
The text was updated successfully, but these errors were encountered: