Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable aggregator routing #120

Closed
drym3r opened this Issue Mar 2, 2019 · 4 comments

Comments

Projects
None yet
4 participants
@drym3r
Copy link

commented Mar 2, 2019

Is your feature request related to a problem? Please describe.
I'm triying to install cert-manager, but it seems that can't work properly if the kube-apiserver doesn't has the parameter --enable-aggregator-routing=true. I understand that this parameter enables the possibility of adding aditional layers to the k8s api.

Describe the solution you'd like
Add the parameter --enable-aggregator-routing=true to kube-apiserver.

Describe alternatives you've considered
I thing is a must if we want to use CDR in k3s, but I'm not sure if there's an alternative.

Additional context
The little I know about this I've found it in this issue. From that issue, I found useful this and this.

@ibuildthecloud

This comment has been minimized.

Copy link
Member

commented Mar 3, 2019

Yes, sorry, this is a know issue that aggregation doesn't work. I think beyond the args we need to manage another set of certificates. This is our todo list.

@drym3r

This comment has been minimized.

Copy link
Author

commented Mar 3, 2019

Nice to now it's in your todo! Why do you think you need another set of certificates?

@adamelliotfields

This comment has been minimized.

Copy link

commented Mar 16, 2019

Stumbled upon this now. Sounds like @drym3r and I found all the same links :)

From my basic understanding, API Aggregation is only required for the Cert Manager Webhook.

The Webhook is only for validating the Cert Manager resources you define (Issuers, ClusterIssuers, Certificates).

I followed the instructions to disable the webhook:

helm upgrade cert-manager stable/cert-manager --reuse-values --set webhook.enabled=false

And after configuring my DNS to point to my server and creating Issuer and ClusterIssuer resources, I was able to install Rancher on k3s via Helm and have a Let's Encrypt staging certificate automatically provisioned (using ingress-nginx instead of Traefik).

As for the additional certs, it says in the aggretation link you posted:

Warning: Do not reuse a CA that is used in a different context unless you understand the risks and the mechanisms to protect the CA’s usage.

@drym3r

This comment has been minimized.

Copy link
Author

commented Apr 18, 2019

@ibuildthecloud Is there something that can be done with this? Not being able to use an operator it's a pitty.

@drym3r drym3r closed this Apr 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.