Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-1908

Support 3rd party certificates (EKS, AKS, GKE)

    XMLWordPrintable

Details

    • 10

    Description

      Support 3rd party certificates EKS, AKS, GKE

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            simon.murray Simon Murray added a comment -

            Be careful here so you don't waste too much time.  If you are thinking about using the GKE ManagedCertificate resource type, then you can't.  These can only be used with ingresses, that we cannot use, and they will only sign certificates you own the domain for.  We require internal kubernetes domain names (that no one can ever own) and localhost.

            In theory, if the platform ever allowed it in a generic way, we could do TLS termination at a load-balancer, and that would work, because it only exposes your own public domain.

            If I've got it completely wrong, do give me an idea of what you are thinking!

            simon.murray Simon Murray added a comment - Be careful here so you don't waste too much time.  If you are thinking about using the GKE ManagedCertificate resource type, then you can't.  These can only be used with ingresses, that we cannot use, and they will only sign certificates you own the domain for .  We require internal kubernetes domain names (that no one can ever own) and localhost. In theory, if the platform ever allowed it in a generic way, we could do TLS termination at a load-balancer, and that would work, because it only exposes your own public domain. If I've got it completely wrong, do give me an idea of what you are thinking!

            Per 12 Feb meeting, need scope details. Believed to be a P0, but need definition. Also, please link any related tickets.

            ingenthr Matt Ingenthron added a comment - Per 12 Feb meeting, need scope details. Believed to be a P0, but need definition. Also, please link any related tickets.

            Waiting for more details on this from the DBaaS team. Seems like it's not possible with regards to 3rd Party certificate issuance. keeping it for now, however, I will remove this from the 2.2 scope if we don't get more details by next week. 

            roshani.sanghavi Roshani Sanghavi (Inactive) added a comment - Waiting for more details on this from the DBaaS team. Seems like it's not possible with regards to 3rd Party certificate issuance. keeping it for now, however, I will remove this from the 2.2 scope if we don't get more details by next week. 
            simon.murray Simon Murray added a comment -

            Notes:

            EKS: You can use ACM to create wildcards, and annotations to attach them to LB services.

            GKE: You use the managedcertificates to create certificates and attach them to ingresses.  Does not support DNS widcards.  Complete non-starter.

            AKS: Again ingress only apparently, and even then they recommend the use of let's encrypt with cert-manager

            The (generic) way forward is obviously to use LE with cert-manager, and use the generic TLS configuration.  However...

            // TLS configuration. Currently the Ingress only supports a single TLS
                    // port, 443.

            So again, a total non-starter (ingress is still 80/443).  We really need that network proxy...!!

            simon.murray Simon Murray added a comment - Notes: EKS: You can use ACM to create wildcards, and annotations to attach them to LB services. GKE: You use the managedcertificates to create certificates and attach them to ingresses .  Does not support DNS widcards.  Complete non-starter. AKS: Again ingress only apparently, and even then they recommend the use of let's encrypt with cert-manager The (generic) way forward is obviously to use LE with cert-manager, and use the generic TLS configuration.  However... // TLS configuration. Currently the Ingress only supports a single TLS // port, 443. So again, a total non-starter (ingress is still 80/443).  We really need that network proxy...!!
            simon.murray Simon Murray added a comment -

            Lowering priority because this ask is, to my mind, unrealistic at present.

            simon.murray Simon Murray added a comment - Lowering priority because this ask is, to my mind, unrealistic at present.
            simon.murray Simon Murray added a comment -

            out of scope according to the wiki

            simon.murray Simon Murray added a comment - out of scope according to the wiki

            People

              roshani.sanghavi Roshani Sanghavi (Inactive)
              roshani.sanghavi Roshani Sanghavi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty