https://garden.io logo
Powered by
#🌱|help-and-getting-started
Current recommendations for certificate management?
c

chilly-waitress-62592

01/03/2023, 2:50 PM
I saw elsewhere on discord that there are plans to deprecate the built in 
cert-manager
option here: https://docs.garden.io/advanced/cert-manager-integration#enabling-and-configuring-cert-manager Probably worth indicating in the docs that this won't be supported going forward. I'm looking for recommendations for the least headache-inducing approach to get TLS set up. I am fine with wildcard certificates for our environment subdomain setups (currently 
app.domain.com
, 
*.dev.domain.com
, 
*.preview.domain.com
). I would use the garden implementation if I didn't see the message about deprecation.
Currently I am using the official helm deployment of 
cert-manager
, and it is somewhat playing nicely with the 
tlsCertificates
config in the kubernetes provider.
I had to combine it with a kubernetes module to issue my own 
ClusterIssuer
.
Related, there appears to be no way to remove the managed ingress controller if you set 
setupIngressController: false
?
q

quaint-dress-831

01/05/2023, 3:30 AM
For simpler and less headache inducing I'd give KCert a try: https://github.com/nabsul/kcert
By this you mean if the ingress controller has already been deployed there's no way to remove it post-deployment?
c

chilly-waitress-62592

01/05/2023, 8:33 PM
thanks for the recommendation
Yes. I've solved it by purging and reinstalling everything, but I didn't see a way to 
garden delete service X
for the ingress.
q

quaint-dress-831

01/05/2023, 8:34 PM
Interesting, I believe setting the nginx controller to false then running 
garden deploy
ought to have had the desired effect of removing the controller but perhaps not?
c

chilly-waitress-62592

01/05/2023, 8:35 PM
I do not believe so. Since I first requested this, I've cobbled together a solution using cert-manager helm, a kubernetes module for both the 
ClusterIssuer
and 
Certificate
and then combined that with the 
tlsCertificate
section of the project config.
q

quaint-dress-831

01/05/2023, 8:35 PM
If it didn't, I'd create an issue in our GitHub
That sounds headache-inducing and byzantine 😄
But if it works, it may be something we should consider enshrining in our docs.
c

chilly-waitress-62592

01/05/2023, 8:39 PM
It was, on the other hand it taught me a lot about k8s fundamentals. I was wondering why I was still spending time on this stuff in 2023. There are of course the google based solutions for gke but it would be more complicated to get what I want with dynamic preview environments considering the lack of their support for wildcard certs
Powered by