certificate for Ingress
wasaga opened this issue · comments
What happened?
currently, helm chart creates an authenticate Ingress resource without referencing a TLS secret, which, unless you know how to fix it, results in invalid certificate served and if domain has HSTS enabled.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.pomerium.io/allow_public_unauthenticated_access: "true"
ingress.pomerium.io/preserve_host_header: "true"
ingress.pomerium.io/secure_upstream: "true"
ingress.pomerium.io/tls_server_name: authenticate.domain.com
name: pomerium-authenticate
spec:
ingressClassName: pomerium
rules:
- host: authenticate.domain.com
http:
paths:
- backend:
service:
name: pomerium-authenticate
port:
name: https
path: /
pathType: Prefixanother minor side effect that might cause confusion, as that Ingress does not have a tls section, kubectl would incorrectly show that this ingress is http-only.
NAME CLASS HOSTS ADDRESS PORTS AGE
pomerium-authenticate pomerium authenticate.domain.com x.x.x.x 80 51m
What did you expect to happen?
Do not allow user to create an invalid broken setup. Helm should not proceed if some of the mandatory parameters are not set, either:
add authenticate.tls_secret_cert_manager_solver parameter
add tls section and http solver annotation to authenticate Ingress resource accordingly.
make authenticate.existingExternalTLSSecret mandatory if ingressController.enabled == true
We should also inform users how to create a certificate - i.e.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authenticate-domain-com
spec:
dnsNames:
- authenticate.domain.com
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod-http
secretName: authenticate-domain-com
usages:
- digital signature
- key encipherment
Closed by #220