Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shared cert refs between multiple gateways in the same namespace #984

Open
KevFan opened this issue Nov 6, 2024 · 1 comment
Open

shared cert refs between multiple gateways in the same namespace #984

KevFan opened this issue Nov 6, 2024 · 1 comment
Assignees
@KevFan
Labels
kind/bug Something isn't working

Comments

@KevFan
Copy link
Contributor

KevFan commented Nov 6, 2024
edited
Loading

Description

For a TLSPolicy, the created Cert uses the name defined in the listener certificate ref defined in the Gateway spec. This allows for sharing Certs across multiple listeners and one single Cert is created with the hostnames of the listeners.

However, if another gateway in the same namespace also defines the same listener certifcate ref with a TLSPolicy attached, the Certifcate will be constantly updated.

kubectl apply -n istio-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-1
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: '*.toys.io'
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: toys
        kind: Secret
    allowedRoutes:
      namespaces:
        from: All    
  - name: http2
    hostname: '*.soys.io'
    port: 599
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: toys
        kind: Secret
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-2
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: '*.coys.io'
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: toys
        kind: Secret
    allowedRoutes:
      namespaces:
        from: All    
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: kuadrant.io/v1
kind: TLSPolicy
metadata:
  name: gw1-tls
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gateway-1
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: selfsigned-issuer
---
apiVersion: kuadrant.io/v1
kind: TLSPolicy
metadata:
  name: gw2-tls
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gateway-2
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: selfsigned-issuer
EOF

The cert is constantly updated:

watch -n 0.5 "kubectl get certificate toys -n istio-system -o yaml | yq '.spec'"
@KevFan KevFan added the kind/bug Something isn't working label Nov 6, 2024
@KevFan KevFan self-assigned this Nov 6, 2024
@KevFan
Copy link
Contributor Author

KevFan commented Nov 6, 2024

\cc @mikenairn

@KevFan KevFan mentioned this issue Nov 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KevFan KevFan

Labels
kind/bug Something isn't working
Projects
Kuadrant
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KevFan