Skip to content

Create certificate based on HTTPRoute configuration #7473

New issue
New issue
Open
Open
Create certificate based on HTTPRoute configuration#7473
Labels
kind/featureCategorizes issue or PR as related to a new feature.
@BeyondEvil

Description

@BeyondEvil
BeyondEvil
opened on Dec 17, 2024

Is your feature request related to a problem? Please describe.
This feature solves two problems.

  1. It separates the responsibility between the Cluster Operator role and the Developer role
  2. It avoids having to use wildcard certificates for Gateways

Role separation

The Gateway (gateway.networking.k8s.io/v1) resource is the responsibility of the Cluster Operator whilst the HTTPRoute (gateway.networking.k8s.io/v1) is the responsibility of the Developer role.

The current functionality causes a blurring of those lines at best, and a bottleneck at worst - as the Gateway needs updating with a specific listener for each publically exposed workload.

Wildcard certificates

In a production environment wildcard certificates Are Bad ™️

The current functionality, if one wishes to keep the roles strictly separated and avoid bottlenecks, forces the user to use wildcard certificates.

Describe the solution you'd like
Cert Manager should also consider the HTTPRoute resource when creating a certificate, and update the secret defined for the Gateway listener with the certificate details.

Describe alternatives you've considered
The alternative, for example in the case of Istio, is to not use the new Gateway API and rely on the previous Ingress-based system (where you create an explicit Certificate resource).

Additional context
Here's what the configuration could look like:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: istio-gateway
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: "*.k8s.eu-north-1.ops.cosafe.com"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: https
    hostname: "*.k8s.eu-north-1.ops.cosafe.com"
    port: 443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
        - name: gateway-tls

Note that the hostname here uses a wildcard, but the hostname could be optional (the spec is a bit unclear).

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: echo-server
spec:
  parentRefs:
  - name: istio-gateway
    namespace: istio-ingress
  hostnames:
    - "echo.k8s.eu-north-1.ops.cosafe.com"
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      backendRefs:
      - name: echo-service
        port: 8080

The above configuration (given hostname is defined on the listener) "works", but the certificate issued is a wildcard certificate for the hostname in the listener, not the more specific hostname defined on HTTPRoute.

Environment details (remove if not applicable):

  • Kubernetes version: 1.31
  • Cloud-provider/provisioner: AWS EKS
  • cert-manager version: v1.16.2
  • Install method: helm

/kind feature

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions