Skip to content

Latest commit

 

History

History
157 lines (149 loc) · 4.54 KB

File metadata and controls

157 lines (149 loc) · 4.54 KB

ambassador-certificate-namespace

This is an example to integrate cert-manager with the ambassador on multiple Kube namespaces

The purpose of this repo to solve the ambassador's namespace certificate issue. #emissary-ingress/emissary#2989

Overview

  1. Create staging, development, production namespace on Kubernetes to manage services environment properly.
  2. Installed Ambassador from official helm chart:- https://github.com/datawire/ambassador-chart
  3. Used Cert-Manager to install certificates for domains. https://cert-manager.io/docs/installation/kubernetes/
  4. Used Test domain "domain.com" as base domain and for development:- development.domain.com & same for staging.
  5. Used Flask app as service for each related environments.
  6. Used cluster issuer as letsencrypt production.

Solution

Ambassador doesn't support ingress rules, It does support Mappings. While cert-manager still use ingress rules, to install certificates for domains. Cert manager performs acme-domain-verification to verify requested domains. To fix it does support:-

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  service: acme-challenge-service
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-service
spec:
  ports:
  - port: 80
    targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"

but, what happens it needs to apply for all namespaces & renew certificates automatically. If I do create mapping & services for each environment then it does not perform verification which I mentioned in GitHub issue link. So its just Mapping issue of ambassador that getting confused to transfer acme-request to correct requested namespaces.

After so many time, I have gone through the docs & also raised an issue on the ambassador, realised again.

  1. Ambassador use ambassador_id to identify the namespace for mappings.
  2. We can set ambassador_id to use Kubernetes DNS to map the traffic to internal services.
  3. If ambassador_id is default then we can add define the service uniquely to add namespace name as the suffix -ie:- acme-challenge-development-service.development here development is the namespace of service.

I have tested it perfectly & working as expected, it is installing & renew the certificates perfectly for all domains for different namespaces as well.

Env based acme challenge service solution for multiple namespace and domains

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-development
  namespace: development
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: development.domain.com
  service: http://acme-challenge-development-service.development
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: development
spec:
  host: development.domain.com
  prefix: /
  service: http://acme-challenge-mapping-development.development
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-development-service
  namespace: development
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-production
  namespace: production
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: domain.com
  service: http://acme-challenge-production-service.production
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: production
spec:
  host: domain.com
  prefix: /
  service: http://acme-challenge-mapping-production.production
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-production-service
  namespace: production
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-challenge-mapping-staging
  namespace: staging
spec:
  prefix: /.well-known/acme-challenge/
  rewrite: ""
  host: staging.domain.com
  service: acme-challenge-staging-service.staging
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: acme-default-mapping
  namspace: staging
spec:
  host: staging.domain.com
  prefix: /
  service: http://acme-challenge-mapping-staging.staging
---
---
apiVersion: v1
kind: Service
metadata:
  name: acme-challenge-staging-service
  namespace: staging
spec:
  ports:
    - port: 80
      targetPort: 8089
  selector:
    acme.cert-manager.io/http01-solver: "true"