Feature: ClusterOriginIssuer support or cross namespace referencing about origin-ca-issuer HOT 20 CLOSED

however, I've deployed origin-ca-issuer with the OriginIssuer

You probably know this already, but I want to be clear here. OriginIssuer and Certificate need to be in the same namespace, but that namespace can be different than where you deployed "origin-ca-issuer".

A feature I'd like to see is to be able to create a cluster scoped ClusterOriginIssuer resource that my Certificates can reference.

This is on my todo list.

from origin-ca-issuer.

I've started work on this.

from origin-ca-issuer.

any progress on this? or any workaround to not deploy the issuer and secret to every single namespace?

from origin-ca-issuer.

Any update on this? To summarize this solution works for a single namespace only. If this were refactored to deploy as a ClusterOriginIssuer then it'd cover an entire Kubernetes cluster and it'd reduce the need for redundant objects. I guarantee you'd see a huge uptick in Kubernetes adoption as a result.

Terin I will buy you a one whole coffee and say nothing but good things about your name from here on out. Apologies for the bump, just anxiously waiting. Thanks for your effort and good luck!

from origin-ca-issuer.

Can we expect this feature anytime soon? I'm planning a buildout and want to set expectations.

from origin-ca-issuer.

I started writing the code here, but I haven't finished.

from origin-ca-issuer.

Any updates? This would be very useful for us.

from origin-ca-issuer.

My fork changes OriginIssuer to OriginClusterIssuer, tested on kind and hosted cluster.

Some important things to note:

• apply the newly created CRD
• serviceKeyRef has a required namespace field to target a secret inside a namespace (can be any namespace)
• issuer-kind and issuer-group annotations on the Ingress resource are required in order to match the certificate request to the OriginClusterIssuer

Any feedback for improvement is welcome!

Btw, great work @terinjokes ! 👏

from origin-ca-issuer.

Yep, I worked that aspect out.

A second question was when using the cert it works fine when I proxy through CloudFlare but using the cert for a split-horizon with internal DNS my machine didn't trust the root CA, I guess this is fine but I'd rather not have to trust the CA on all devices, do you have any thoughts on what would potentially fix this issue?

from origin-ca-issuer.

OriginIssuer and Certificate need to be in the same namespace

And the Origin CA token should be in the same namespace as well, which is pretty bad when you're trying to auto-create namespaces for code review

from origin-ca-issuer.

Please add support for a cluster-scoped issuer.

from origin-ca-issuer.

@terinjokes any updates on this one?

from origin-ca-issuer.

If you can push it to a branch I can probably find time to help out?

from origin-ca-issuer.

This would be wildly useful

from origin-ca-issuer.

@terinjokes any updates here? I see that you already started some work here.

from origin-ca-issuer.

Same, I would really like to avoid replicating the secret on every namespace where I want an issuer.

from origin-ca-issuer.

@terinjokes any update on this? And can we get the changes from @penumbra23 for example back on the main stream? I do not really like all the forks all over the place

from origin-ca-issuer.

I'm still working on it, but this is not my full-time job. I know nothing about changes @penumbra23 has made as they never opened a PR.

from origin-ca-issuer.

@pimjansen @terinjokes Well, actually my fork changed the whole operator to a cluster issuer, so it's not working anymore as a namespaced issuer. When I got some time I will update the code to have both options available.

from origin-ca-issuer.

I'm still working on it, but this is not my full-time job. I know nothing about changes @penumbra23 has made as they never opened a PR.

Understand ofc! For the community it would be great if you could wrap your heads together 👍🏻

from origin-ca-issuer.