Skip to content
/ ambassador-certificate-namespace Public

This is an example to integrate cert-manager with ambassador on multiple kube namespaces

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Anishmourya/ambassador-certificate-namespace

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
certificates
certificates
 
 
hosts
hosts
 
 
mappings
mappings
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

ambassador-certificate-namespace

This is an example to integrate cert-manager with the ambassador on multiple Kube namespaces

The purpose of this repo to solve the ambassador's namespace certificate issue. #emissary-ingress/emissary#2989

Overview

  1. Create staging, development, production namespace on Kubernetes to manage services environment properly.
  2. Installed Ambassador from official helm chart:- https://github.com/datawire/ambassador-chart
  3. Used Cert-Manager to install certificates for domains. https://cert-manager.io/docs/installation/kubernetes/
  4. Used Test domain "domain.com" as base domain and for development:- development.domain.com & same for staging.
  5. Used Flask app as service for each related environments.
  6. Used cluster issuer as letsencrypt production.

Solution

Ambassador doesn't support ingress rules, It does support Mappings. While cert-manager still use ingress rules, to install certificates for domains. Cert manager performs acme-domain-verification to verify requested domains. To fix it does support:-

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  service: acme-challenge-service
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-service
spec:
  ports:
  - port: 80
    targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"

but, what happens it needs to apply for all namespaces & renew certificates automatically. If I do create mapping & services for each environment then it does not perform verification which I mentioned in GitHub issue link. So its just Mapping issue of ambassador that getting confused to transfer acme-request to correct requested namespaces.

After so many time, I have gone through the docs & also raised an issue on the ambassador, realised again.

  1. Ambassador use ambassador_id to identify the namespace for mappings.
  2. We can set ambassador_id to use Kubernetes DNS to map the traffic to internal services.
  3. If ambassador_id is default then we can add define the service uniquely to add namespace name as the suffix -ie:- acme-challenge-development-service.development here development is the namespace of service.

I have tested it perfectly & working as expected, it is installing & renew the certificates perfectly for all domains for different namespaces as well.

Env based acme challenge service solution for multiple namespace and domains

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-development
  namespace: development
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: development.domain.com
  service: http://acme-challenge-development-service.development
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: development
spec:
  host: development.domain.com
  prefix: /
  service: http://acme-challenge-mapping-development.development
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-development-service
  namespace: development
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-production
  namespace: production
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: domain.com
  service: http://acme-challenge-production-service.production
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: production
spec:
  host: domain.com
  prefix: /
  service: http://acme-challenge-mapping-production.production
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-production-service
  namespace: production
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-staging
  namespace: staging
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: staging.domain.com
  service: acme-challenge-staging-service.staging
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: staging
spec:
  host: staging.domain.com
  prefix: /
  service: http://acme-challenge-mapping-staging.staging
---
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-staging-service
  namespace: staging
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"

About

This is an example to integrate cert-manager with ambassador on multiple kube namespaces

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

Multiple namespaces and domain acme-challenge problem solved Latest
Mar 10, 2021

Packages

No packages published