Implement the Gateway API support to configurate an ACME issuer #36
Conversation
21a1e20
to
18cca64
Compare
|
|
||
| # The following parameters must be used in combination | ||
| # 1. issuer_type is "SelfSigned" and envoy.service.type is "NodePort", which can be tested in a local kind environment. | ||
| # 2. issuer_type is "ACME" and envoy.service.type is "LoadBalancer", which can be tested in a cloud environment such as GKE. |
There was a problem hiding this comment.
Now it is only tested, if there will not problem, I will do other works, like update readme.
There was a problem hiding this comment.
Thanks for working on this @lonelyCZ !
I've tried the module, but am getting error during ACME issuer creation. I can reproduce this on kind cluster as well
│ Error: Plugin did not respond
│
│ with kubernetes_manifest.gateway-issuer-acme[0],
│ on main.tf line 121, in resource "kubernetes_manifest" "gateway-issuer-acme":
│ 121: resource "kubernetes_manifest" "gateway-issuer-acme" {
│
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
Stack trace from the terraform-provider-kubernetes_v2.12.1_x5 plugin:
panic: interface conversion: interface {} is nil, not map[string]interface {}
...
(As a sidenote, we probably want to add a dependency on gateway API install to cert-manager install module as the cert-manager pod crashes if the Gateway feature is enabled, but it does not find the Gateway CRDs)
| @@ -13,3 +13,11 @@ variable "issuer_name" { | |||
| default = "gateway-issuer" | |||
| } | |||
|
|
|||
| variable "issuer_type" { | |||
| type = string | |||
There was a problem hiding this comment.
Here we should validate that it is one of the accepted types (similar to what you did for vault auth mechanisms https://github.com/cert-manager/testing-addons/blob/master/cm-vault/vault-config/variables.tf#L10
cm-gateway/cm-config/main.tf
Outdated
| resource "kubernetes_manifest" "selfsigned-issuer" { | ||
| count = var.issuer_type == "SelfSigned" ? 1 : 0 |
There was a problem hiding this comment.
I think this issuer type should be called something like SelfSignedCA as it is a CA issuer that is actually used to sign the Gateway certs not a self-signed one
I guess this is error coming from
It seems that the previous resources haven't removed completely. Could you please help to retest it in your env. But now there are some problems certainly, for example, if there are some errors occurring when executing
From the Dependencies Graph, currently, the cert-manager should be deployed after gateway-api installed. Could you describe your encountered problems? |
|
I also reproduced this error in my kind cluster. I found the |
fec73f8
to
8322d6a
Compare
| } | ||
| "spec" = { | ||
| "acme" = { | ||
| "email" : var.acme_email |
There was a problem hiding this comment.
I guess the problem is the configuration of acme, could you please help me to deploy it alone to debug it?
There was a problem hiding this comment.
Ahh yes you're right there is a problem with the example email
status:
acme: {}
conditions:
- lastTransitionTime: "2022-08-24T15:12:58Z"
message: 'Failed to register ACME account: 400 urn:ietf:params:acme:error:invalidEmail:
Error creating new account :: invalid contact domain. Contact emails @example.com
are forbidden'
observedGeneration: 1
reason: ErrRegisterACMEAccount
status: "False"
type: Read
There was a problem hiding this comment.
... however I see that even with the correct email when the issuer does become ready it nevertheless crashes.
We should investigate for a bit more, if it doesn't help, we can try to temporarily remove the wait condition.
There was a problem hiding this comment.
I see that even with the correct email when the issuer does become ready it nevertheless crashes.
Is it the reason that is timeout? The current creation time is only 1 minute.
Hi @lonelyCZ yes, if the wait condition is removed the ACME issuer gets created correctly 👍🏼 I now see another error where the ACME challenge does not get solved correctly, looking into it.. |
I think we need another Let me know if that makes sense |
Thanks for your investigations, I will do it as your suggestions today. |
Thank you @lonelyCZ 😄 |
8322d6a
to
2999ed9
Compare
|
Please take a look. The dependencies graph also has been updated. /assign @irbekrm |
|
@lonelyCZ I think we still need to remove that wait condition from the issuer #36 (comment) |
Ok, any other problems? If no, I am going to update the readme file. /hold |
I think after that this should be good 👍🏼 |
2999ed9
to
5324095
Compare
|
/unhold /assign @irbekrm |
Signed-off-by: lonelyCZ <531187475@qq.com>
Signed-off-by: lonelyCZ <531187475@qq.com>
5324095
to
cbfe992
Compare
|
Thanks @lonelyCZ! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm, lonelyCZ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: lonelyCZ 531187475@qq.com
Fixes #33