Comments (20)
however, I've deployed origin-ca-issuer with the OriginIssuer
You probably know this already, but I want to be clear here. OriginIssuer
and Certificate
need to be in the same namespace, but that namespace can be different than where you deployed "origin-ca-issuer".
A feature I'd like to see is to be able to create a cluster scoped
ClusterOriginIssuer
resource that my Certificates can reference.
This is on my todo list.
from origin-ca-issuer.
I've started work on this.
from origin-ca-issuer.
any progress on this? or any workaround to not deploy the issuer and secret to every single namespace?
from origin-ca-issuer.
Any update on this? To summarize this solution works for a single namespace only. If this were refactored to deploy as a ClusterOriginIssuer then it'd cover an entire Kubernetes cluster and it'd reduce the need for redundant objects. I guarantee you'd see a huge uptick in Kubernetes adoption as a result.
Terin I will buy you a one whole coffee and say nothing but good things about your name from here on out. Apologies for the bump, just anxiously waiting. Thanks for your effort and good luck!
from origin-ca-issuer.
Can we expect this feature anytime soon? I'm planning a buildout and want to set expectations.
from origin-ca-issuer.
I started writing the code here, but I haven't finished.
from origin-ca-issuer.
Any updates? This would be very useful for us.
from origin-ca-issuer.
My fork changes OriginIssuer
to OriginClusterIssuer
, tested on kind and hosted cluster.
Some important things to note:
- apply the newly created CRD
serviceKeyRef
has a requirednamespace
field to target a secret inside a namespace (can be any namespace)issuer-kind
andissuer-group
annotations on the Ingress resource are required in order to match the certificate request to theOriginClusterIssuer
Any feedback for improvement is welcome!
Btw, great work @terinjokes ! 👏
from origin-ca-issuer.
Yep, I worked that aspect out.
A second question was when using the cert it works fine when I proxy through CloudFlare but using the cert for a split-horizon with internal DNS my machine didn't trust the root CA, I guess this is fine but I'd rather not have to trust the CA on all devices, do you have any thoughts on what would potentially fix this issue?
from origin-ca-issuer.
OriginIssuer and Certificate need to be in the same namespace
And the Origin CA token should be in the same namespace as well, which is pretty bad when you're trying to auto-create namespaces for code review
from origin-ca-issuer.
Please add support for a cluster-scoped issuer.
from origin-ca-issuer.
@terinjokes any updates on this one?
from origin-ca-issuer.
If you can push it to a branch I can probably find time to help out?
from origin-ca-issuer.
This would be wildly useful
from origin-ca-issuer.
@terinjokes any updates here? I see that you already started some work here.
from origin-ca-issuer.
Same, I would really like to avoid replicating the secret on every namespace where I want an issuer.
from origin-ca-issuer.
@terinjokes any update on this? And can we get the changes from @penumbra23 for example back on the main stream? I do not really like all the forks all over the place
from origin-ca-issuer.
I'm still working on it, but this is not my full-time job. I know nothing about changes @penumbra23 has made as they never opened a PR.
from origin-ca-issuer.
@pimjansen @terinjokes Well, actually my fork changed the whole operator to a cluster issuer, so it's not working anymore as a namespaced issuer. When I got some time I will update the code to have both options available.
from origin-ca-issuer.
I'm still working on it, but this is not my full-time job. I know nothing about changes @penumbra23 has made as they never opened a PR.
Understand ofc! For the community it would be great if you could wrap your heads together 👍🏻
from origin-ca-issuer.
Related Issues (20)
- invalid header field value when signing request HOT 17
- Docker image cloudflare/origin-ca-issuer:v0.7.0 not found HOT 3
- Unable to refresh certificate HOT 1
- Cloudflare API Error - Authentication error HOT 28
- OriginIssuer controller does not watch for secret updates
- Helm chart repo stopped working
- [ERROR] K8S + cloudflare origin-ca-issuer HOT 1
- Any options for the retry? HOT 2
- Random certificate missbehavior. HOT 12
- OOM error HOT 6
- [BUG] unknown flag: --cluster-resource-namespace HOT 1
- Not able to deploy new origin-ca-issuer HOT 2
- 099356
- ServiceAccount missing permissions to list ClusterOriginIssuer resources HOT 2
- Error deploying on GKE: Forbidden HOT 6
- feature: Add support to use bearer token for API authentication HOT 4
- migrate to upstream cloudflare-go
- add installCRDs as option in helm chart
- Multiple Domain support HOT 1
- Helm Chart inaccessible HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from origin-ca-issuer.