website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon cert-manager

FAQ: How does cert-manager handle ingresses with valid TLS secrets?

Open leonboot opened this issue 5 years ago • 2 comments

I'm trying to figure out if, when creating an ingress with a reference to a TLS secret that is populated with a valid certificate (hostname matches and date is within the valid from/until range), no attempts are being made to obtain a new certificate.

I am in the process of migrating from one Kubernetes cluster to another. The current cluster is using Traefik 1.7, using Traefik's own ACME resolver. I've written a script that parses the acme.json and generates TLS secrets for usage in my new cluster. All certificates used are Let's Encrypt issued. I'll be using cert-manager for renewing these in my new cluster. Since I'll be spinning up my services on the new cluster before actually changing the DNS, I'm hoping that adding the appropriate TLS secrets for the ingresses will prevent cert-manager from attempting to request Let's Encrypt certificates (given the certificates aren't near their expiration date of course). I haven't been able to validate this from the documentation. So maybe I've missed it, or maybe it's not yet there and it might be worth adding it!

Side note: great work on this piece of software! It's really easy to use and I am particularly happy that you've decided to implement ACME, not hardwire it to Let's Encrypt, since we're using an in-house ACME service of our own 👍

leonboot avatar Feb 26 '20 08:02 leonboot

Sorry for the very delayed answer.

In v0.16 the controller will now look at the certificate inside the secret and look at the duration, it will happily "adopt" it as it's own and renews when needed.

A PR to add this to the docs is welcome!

/kind documentation /priority backlog /help

meyskens avatar Aug 04 '20 15:08 meyskens

@meyskens: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

Sorry for the very delayed answer.

In v0.16 the controller will now look at the certificate inside the secret and look at the duration, it will happily "adopt" it as it's own and renews when needed.

A PR to add this to the docs is welcome!

/kind documentation /priority backlog /help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot avatar Aug 04 '20 15:08 jetstack-bot