Next KCert Update

[nabsul]

The plan for the next KCert update is to knock out the three issues I have: #45 #35 #34

Issue 35: Duplicate email errors

This should be straightforward. I'll need to review the code and refactor it to not repeat the same error too many times.

Issues 35 & 34: DNS Challenges and Non-Ingress cert creations

I think these two can be solved together. The proposal is as follows:

Non-Ingress Cert Creation

• This will be done by creating an opaque secret
  • KCert will watch for secrets created
  • Secret will contain some metadata indicating that it's an "instruction" for KCert to create a cert
  • Secret will contain details of the certificate that needs to be created (I think hostname is the only thing needed)
• KCert will request a Let's Encrypt certificate based on the details in the opaque secret
• When the certificate is successfully fetched, the opaque secret will be deleted and immediately replaced by a certificate secret

Wildcard Certs

The wildcard cert implementation will leverage the previous design, but there will be one additional step in the process:

• Opaque secret is created as before, but with "DNS challenge" indicated somehow
• KCert will request the Let's Encrypt certificate and extract the required TXT value for DNS Challenge
• TXT DNS Challenge value will be added to the opaque secret
• User must then read this TXT value and update their DNS accordingly
• User will update the opaque secret to tell KCert that DNS is now updated
• The rest of the process is similar to previous section.

[nabsul]

non-ingress cert creation is released. wildcard certs will need more time, but I think the path is clear.

[bnssoftware]

Any progress on the wildcard certs?

[nabsul]

Yes finally! I have a working prototype and all looks good.
I'm not sure when I'll have time to integrate and cut a release. We'll have to see :-)

[nabsul]

#112