-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding example for cert-manager letsencrypt for Istio-based service mesh #4511
Conversation
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
…readme.md Co-authored-by: Shashank Barsin <shashankbarsin@users.noreply.github.com>
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
…readme.md Co-authored-by: Shashank Barsin <shashankbarsin@users.noreply.github.com>
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
examples/azure-service-mesh/security/cert-manager-letsencrypt/readme.md
Outdated
Show resolved
Hide resolved
I tested the example and it works without any problems. I left some comments that are suggestions, like using Have you patched the controller.go to have the Istio Ingress work in a namespace different than |
One more idea. I understand nip.io is a nice tool, but it could go away anytime. As an alternative solution to remove the complexity of setting up a DNS name, it would be great of the External Istio Ingress Gateway could set a public-facing DNS label to the service using the In open source Istio you can do it when installing the helm chart:
It would be great to have a way to set this annotation also with the add-on. Thanks ! |
@zioproto we're opening up a list of annotations for our users to customize on the ingress gateway. I was considering azure-dns-label-name but decided against it because you could effectively achieve the same thing by just using |
Could you just offer both annotations and let the customer decide what works best for them ? We have many customers and some will like better to lock to a specific IP, while others will prefer the DNS name. With the OSS Helm chart you can just pass whatever annotation to the Kubernetes service, there you have a lot of flexibility. Please let me know if this makes sense, or I can add more context. Thanks |
Thanks for that context - the main asks we've seen (GH issues, email threads) for the add-on have been for the ipv4 and ipv6 annotations specifically (ipv6 will likely come later but we need to test dual-stack prior). We haven't seen any specifically for the dns label name but if there have been asks and use-cases then I think it would make sense to consider. It sounds like in both cases though, you would still need to create an Azure Public IP beforehand - then either set the annotation to the IP address or the DNS name? @deveshdama @biefy wondering if in the context of Let's Encrypt and Cert Manager this DNS annotation would be useful over ipv4 annotation but it seems to be the same in terms of configuration steps. |
Co-authored-by: Saverio Proto <zioproto@gmail.com>
cool, thanks for the review. I've incorporated most of them except recommending nip.io. I feel like we've provided enough information for the users to make the decision. we've made a fix on the azure servicemesh codebase to allow for ingress to be configured via shared configmap. |
@deveshdama I confirm I updated the blog post with a reference to this PR. Thanks |
Adding example for cert-manager letsencrypt for ASM.