Merge pull request #1800 from StrongMonkey/use-cert-manager

Drop built-in http01 challenge, use cert-manager to issue certs for custom domain

Author: StrongMonkey

docs/docs/100-reference/01-command-line/acorn_install.md

@@ -28,6 +28,7 @@ acorn install
       --auto-upgrade-interval string                    For apps configured with automatic upgrades enabled, the interval at which to check for new versions. Upgrade intervals configured at the application level cannot be smaller than this. (default '5m' - 5 minutes)
       --aws-identity-provider-arn string                ARN of cluster's OpenID Connect provider registered in AWS
       --builder-per-project                             Create a dedicated builder per project
+      --cert-manager-issuer string                      The name of the cert-manager cluster issuer to use for TLS certificates on custom domains
       --cluster-domain strings                          The externally addressable cluster domain (default .oss-acorn.io)
       --controller-replicas int                         acorn-controller deployment replica count
       --controller-service-account-annotation strings   annotation to apply to the acorn-system service account

docs/docs/50-running/03-certificates.md

@@ -2,7 +2,7 @@
 title: TLS Certificates
 ---
 
-Applications that publish HTTP endpoints can be protected by TLS certificates.  If you've enabled Acorn's [Let's Encrypt integration](30-installation/02-options.md#tls-via-lets-encrypt), a valid certificate will be provisioned for your app's endpoints. This applies to oss-acorn.io generated endpoints and custom endpoints configured using the [publish flag](50-running/02-networking.md#publish-individual-ports).
+Applications that publish HTTP endpoints can be protected by TLS certificates.  If you've enabled Acorn's [Let's Encrypt integration](30-installation/02-options.md#tls-via-lets-encrypt), a valid certificate will be provisioned for your app's endpoints. This only applies to oss-acorn.io generated endpoints. For custom endpoints configured using the [publish flag](50-running/02-networking.md#publish-individual-ports), Acorn relies on external cert-manager to issue certificates. For more information on how to configure cert-manager, see [Issuing custom domain certs](#issuing-custom-domain-certs).
 
 ## Manually adding certificates
 If you don't wish to use Acorn's Let's Encrypt integration, you can configure certificates manually or by integrating with cert-manager. Acorn will automatically look for SANs in secrets of type `kubernetes.io/tls` for the exposed FQDN of the application in the Acorn namespace.
@@ -53,3 +53,33 @@ acorn run -p my-app.example.com:web [MY_APP_IMAGE]
 
 Acorn will automatically inspect each certificate in the Acorn namespace for one that can be used with `my-app.example.com`.
 If no TLS secret is found with that FQDN, it will be exposed on HTTP only.
+
+### Issuing custom domain certs
+
+Acorn's Let's Encrypt integration does not issue certificates for custom domains. Instead, you will rely on external cert-manager to issue certificates. To do so, you will need to create a cluster-issuer first. For more information on how to install and configure cert-manager, see [cert-manager docs](https://cert-manager.io/docs/).
+
+```yaml 
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik
+```
+
+Modify the `ingressClassName` to match the ingress controller you are using. For example, if you are using the NGINX ingress controller, you will need to change it to `nginx`.
+Once you have created the cluster-issuer, pass the cluster-issuer's name to `acorn install` so that Acorn knows which cluster-issuer to apply to the ingress resource.
+
+Once you have created the cluster issuer, pass the cluster issuer's name to acorn install so that acorn knows where to apply the cluster issuer to the ingress resource.
+
+```shell
+acorn install --cert-manager-issuer=letsencrypt-prod
+```

pkg/apis/api.acorn.io/v1/types.go

@@ -432,6 +432,7 @@ type Config struct {
 	AWSIdentityProviderARN         *string         `json:"awsIdentityProviderArn" name:"aws-identity-provider-arn" usage:"ARN of cluster's OpenID Connect provider registered in AWS"`
 	EventTTL                       *string         `json:"eventTTL" name:"event-ttl" usage:"Amount of time an Acorn event will be stored before being deleted (default '168h' - 7 days)"`
 	Features                       map[string]bool `json:"features" name:"features" boolmap:"true" usage:"Enable or disable features. (example foo=true,bar=false)"`
+	CertManagerIssuer              *string         `json:"certManagerIssuer" name:"cert-manager-issuer" usage:"The name of the cert-manager cluster issuer to use for TLS certificates on custom domains" default:""`
 }
 
 type EncryptionKey struct {

pkg/apis/api.acorn.io/v1/zz_generated.deepcopy.go

@@ -115,6 +115,9 @@ func complete(ctx context.Context, c *apiv1.Config, getter kclient.Reader) error
 			}
 		}
 	}
+	if c.CertManagerIssuer == nil {
+		c.CertManagerIssuer = new(string)
+	}
 	return nil
 }
 
@@ -372,6 +375,10 @@ func merge(oldConfig, newConfig *apiv1.Config) *apiv1.Config {
 		mergedConfig.EventTTL = newConfig.EventTTL
 	}
 
+	if newConfig.CertManagerIssuer != nil {
+		mergedConfig.CertManagerIssuer = newConfig.CertManagerIssuer
+	}
+
 	return &mergedConfig
 }
 

pkg/config/config.go

@@ -61,7 +61,6 @@ func routes(router *router.Router, cfg *rest.Config, registryTransport http.Roun
 	appRouter.HandlerFunc(appdefinition.PullAppImage(registryTransport, recorder))
 	appRouter.HandlerFunc(images.CreateImages)
 	appRouter.HandlerFunc(appdefinition.ParseAppImage)
-	appRouter.HandlerFunc(tls.ProvisionCerts) // Provision TLS certificates for port bindings with user-defined (valid) domains
 	appRouter.Middleware(appdefinition.FilterLabelsAndAnnotationsConfig).HandlerFunc(namespace.AddNamespace)
 	appRouter.Middleware(jobs.NeedsDestroyJobFinalization).FinalizeFunc(jobs.DestroyJobFinalizer, jobs.FinalizeDestroyJob)
 

pkg/controller/routes.go

@@ -109,3 +109,18 @@ func TestRouter(t *testing.T) {
 func TestSecret(t *testing.T) {
 	tester.DefaultTest(t, scheme.Scheme, "testdata/secret", RenderServices)
 }
+
+// TestSettingUpDefaultCertManager tests that the default cert-manager annotation is set up on custom domain if no matching certs is found
+func TestSettingUpDefaultCertManager(t *testing.T) {
+	tester.DefaultTest(t, scheme.Scheme, "testdata/ingress/cert-manager", RenderServices)
+}
+
+// TestCustomCertsShouldNotSetCertManager tests that the default cert-manager annotation should not be setup on custom domain if matching certs is found
+func TestCustomCertsShouldNotSetCertManager(t *testing.T) {
+	tester.DefaultTest(t, scheme.Scheme, "testdata/ingress/customdomainwithcerts", RenderServices)
+}
+
+// TestCustomCertsWithAnnonationsShouldNotSetCertManagerDefaultIssuer tests that the default cert-manager annotation should not be setup on custom domain if cert-manager annotations is already set
+func TestCustomCertsWithAnnonationsShouldNotSetCertManagerDefaultIssuer(t *testing.T) {
+	tester.DefaultTest(t, scheme.Scheme, "testdata/ingress/customdomainwithannotations", RenderServices)
+}

pkg/controller/service/service_test.go

@@ -70,14 +70,14 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    acorn.io/targets: '{"ci1.acorn.not":{"port":81,"service":"oneimage"},"localhost":{"port":81,"service":"oneimage"},"oneimage-app-name-a5b0aade.local.oss-acorn.io":{"port":81,"service":"oneimage"}}'
+    acorn.io/targets: '{"oneimage-app-name-a5b0aade.local.oss-acorn.io":{"port":81,"service":"oneimage"}}'
   creationTimestamp: null
   labels:
     acorn.io/app-name: app-name
     acorn.io/app-namespace: app-namespace
     acorn.io/container-name: oneimage
     acorn.io/managed: "true"
-  name: oneimage
+  name: oneimage-cluster-domain
   namespace: app-created-namespace
 spec:
   rules:
@@ -91,6 +91,25 @@ spec:
               number: 81
         path: /
         pathType: Prefix
+status:
+  loadBalancer: {}
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    acorn.io/targets: '{"ci1.acorn.not":{"port":81,"service":"oneimage"},"localhost":{"port":81,"service":"oneimage"}}'
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  name: oneimage-custom-domain
+  namespace: app-created-namespace
+spec:
+  rules:
   - host: ci1.acorn.not
     http:
       paths:
@@ -179,7 +198,7 @@ status:
     type: defined
   endpoints:
   - address: oneimage-app-name-a5b0aade.local.oss-acorn.io
-    publishProtocol: https
+    publishProtocol: http
   - address: ci1.acorn.not
     publishProtocol: https
   - address: localhost

pkg/controller/service/testdata/ingress/basic/expected.golden

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  config: '{"certManagerIssuer":"default"}'
+kind: ConfigMap
+metadata:
+  name: acorn-config
+  namespace: acorn-system

pkg/controller/service/testdata/ingress/cert-manager/existing.yaml

@@ -0,0 +1,195 @@
+`apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  name: oneimage
+  namespace: app-created-namespace
+spec:
+  ports:
+  - appProtocol: HTTP
+    name: "81"
+    port: 81
+    protocol: TCP
+    targetPort: 81
+  - name: "90"
+    port: 90
+    protocol: TCP
+    targetPort: 91
+  - name: "92"
+    port: 92
+    protocol: TCP
+    targetPort: 92
+  selector:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  type: ClusterIP
+status:
+  loadBalancer: {}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+    acorn.io/service-publish: "true"
+  name: oneimage-publish-1234567890ab
+  namespace: app-created-namespace
+spec:
+  ports:
+  - name: "90"
+    port: 90
+    protocol: TCP
+    targetPort: 91
+  - name: "92"
+    port: 92
+    protocol: TCP
+    targetPort: 92
+  selector:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  type: LoadBalancer
+status:
+  loadBalancer: {}
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    acorn.io/targets: '{"oneimage-app-name-a5b0aade.local.oss-acorn.io":{"port":81,"service":"oneimage"}}'
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  name: oneimage-cluster-domain
+  namespace: app-created-namespace
+spec:
+  rules:
+  - host: oneimage-app-name-a5b0aade.local.oss-acorn.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: oneimage
+            port:
+              number: 81
+        path: /
+        pathType: Prefix
+status:
+  loadBalancer: {}
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    acorn.io/targets: '{"ci1.acorn.not":{"port":81,"service":"oneimage"},"localhost":{"port":81,"service":"oneimage"}}'
+    cert-manager.io/cluster-issuer: default
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  name: oneimage-custom-domain
+  namespace: app-created-namespace
+spec:
+  rules:
+  - host: ci1.acorn.not
+    http:
+      paths:
+      - backend:
+          service:
+            name: oneimage
+            port:
+              number: 81
+        path: /
+        pathType: Prefix
+  - host: localhost
+    http:
+      paths:
+      - backend:
+          service:
+            name: oneimage
+            port:
+              number: 81
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - ci1.acorn.not
+    secretName: oneimage-cm-cert-1
+  - hosts:
+    - localhost
+    secretName: oneimage-cm-cert-2
+status:
+  loadBalancer: {}
+
+---
+apiVersion: internal.acorn.io/v1
+kind: ServiceInstance
+metadata:
+  creationTimestamp: null
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  name: oneimage
+  namespace: app-created-namespace
+  uid: 1234567890abcdef
+spec:
+  appName: app-name
+  appNamespace: app-namespace
+  container: oneimage
+  default: false
+  labels:
+    acorn.io/app-name: app-name
+    acorn.io/app-namespace: app-namespace
+    acorn.io/container-name: oneimage
+    acorn.io/managed: "true"
+  ports:
+  - protocol: http
+    publish: true
+    targetPort: 81
+  - port: 90
+    protocol: tcp
+    publish: true
+    targetPort: 91
+  - protocol: tcp
+    publish: true
+    targetPort: 92
+  publish:
+  - hostname: localhost
+  - hostname: ci1.acorn.not
+status:
+  conditions:
+    reason: Success
+    status: "True"
+    success: true
+    type: defined
+  endpoints:
+  - address: oneimage-app-name-a5b0aade.local.oss-acorn.io
+    publishProtocol: http
+  - address: ci1.acorn.not
+    publishProtocol: https
+  - address: localhost
+    publishProtocol: https
+  hasService: true
+`