-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OnDemandTLS feature #55
Comments
(I can't answer for the maintainers, but I'll just note, in case it is helpful, that |
Hi I think what you search for is On Demand TLS together with a default backend. It is not implemented yet but it's the next thing I want to add 🙂 |
@Embraser01 On-Demand TLS with a default backend sounds like just what I need! Is there any ETA for this or any advice on where to get started to help implement this feature? |
I'm looking to implement it before the end of the month, will update here when I've made some progress |
Any update regarding this? Thanks |
Yes! I decided to work on an improved version of the controller and refactored a bunch of things. It also add support for OnDemand TLS. It's not merged yet as there is still some things to finish but the controller should be working. No documentation yet but it's as easy as adding a few fields in the configmap (JSON schema). |
Awesome work! Is this ready to be used in a live environment and are there installation instructions for the improved and refactored ingress? |
The project being still very young, I can't make promises. I can tell you that I've been using it in a live environment for some weeks now and it runs very nicely! |
Do you have any insight into how to configure the default backend? I've tried deploying it and checking the logs, it's constantly checking an existing ingress' hosts and trying to issue certificates for them. Update: I've deployed the updated chart (pr-60 image tag) and I can point a domain to the IP and it loads using HTTP, but does not connect via HTTPS, just gets a standard SSL_ERR. I've also configured an ingress with the
Ingress example:
This error seems to be due to K8s 1.16 not supporting UPDATE 2: Removing the ingress path fixes the crash. Now my only issue is simply getting the default backend implemented. It's supported in K8s 1.19, but is there a way of implementing it in the same manner as nginx-ingress? https://kubernetes.github.io/ingress-nginx/user-guide/default-backend/ Trying to remove the |
@Embraser01 So after a lot of experimenting, I've gotten a lot further on this.
Checking When trying to access via HTTP, it provides a white error page with the text: |
Could you provide an ingress
For now, when PROXY protocol is enabled, it prevent any connection that do not use PROXY protocol. I don't know exactly your setup but I know that in order to enable PROXY Protocol in AWS, I had to make sure the load balancer in front of Caddy is in With ip mode enabled: LoadBalancer -> Caddy Ingress Controller Pod |
Just confirming, thanks to #65 will on demand TLS for any host name be possible? As is currently possible when using Caddy standalone (not as an ingress). |
@Embraser01 It appears that this is due to the PROXY protocol not being something that is explicitly able to be set on GKE. https://projectcontour.io/guides/proxy-proto/ I'm not too sure how this works with ingress-nginx though as I have no issues with that. Is there any workarounds to this issue? |
I'd also like to confirm that OnDemand is supposed to be working. I spun up the ingress controller with |
Is it possible to set up an ingress to support all domains?
E.g:
host: *
rather thanhost: foo.com
For my use case, I want to support automatic cert issuing for all domains, but the amount of domains is constantly changing and dynamic and can't be manually set in the standard K8s ingress host values.
The text was updated successfully, but these errors were encountered: