SAP
Support for certificate annotations on Istio Gateway/Virtual Service
New version of https://github.com/gardener/cert-management/releases/tag/v0.14.0 enables possibility to annotate "Istio Gateway/Virtual Service" as a result certificate manager will be able to create certificate secret in istio namespace. And thus cap-operator will not need to create certificate object in istio system namespace.
Hi Daniel, Thanks for this info. We plan to do this along with a similar feature we got to know a while back w.r.t annotating for DNSEntries https://github.com/gardener/external-dns-management/releases/tag/v0.18.0 (avaialable for a few months now), so that in garderner clusters both DNS records and certificates can be take over by gardner controllers and we are not manually doing the same.
We need to plan of we can just do the implementation assuming (and documenting) that all clusters are running these newer versions or we provide an option to switch this on for a while.
This issue will be updated once the implmentation happens.
Thanks & Regards, Pavan
Hi Pavan,
external-dns-management 0.18.4 is already present in Gardener Canary. as for cert-manager 0.14.0 it needs to undergo some rounds of testing first we will monitor and let you know.
Hi @Pavan-SAP,
I have tested feature https://github.com/gardener/cert-management/pull/174 that has been delivered via https://github.com/gardener/cert-management/releases/tag/v0.14.0 on gardener/canary and gardener/live and it is working.
After putting annotation to gateway object:
cert.gardener.cloud/purpose: managed
ceritificate object is created in the same namespace as gateway with name
<gateway name>-<generated string>
and owner reference is set to originating gateway. As well as TLS secret is created which is referenced in certificate spec.
Can you please come up with proposal how this feature can be utilized by cap-operator? Not every user of cap-operator should use gardener or gardener/cert-management so probably it would be good to configure it at CAPApplication level.