How to Integrate Cert-Manager

[mpstefan]

As a potential user of NKG
I want a guide on how to integrate cert-manager in my NKG deployment
So that I can feel confident using NKG knowing I can rely on cert-manager to manage my certificates for me
And so that I can easily integrate it within my environment.

Acceptance

• Documentation is created that explains how to integrate cert-manager into a NKG deployment.
• A use case is identified as to why the user would want to implement cert-manager.
• The warning identified in this issue is called out (see Securing Gateway resources with non HTTPS listeners generate BadConfig events cert-manager/cert-manager#6197 for the corresponding issue in the cert-manager repo. A tracking issue should be created for this issue so we can remove the warning when it is resolved).

Links

• https://cert-manager.io/docs/usage/gateway/

[ciarams87]

FYI, blog on this subject with NIC: https://www.nginx.com/blog/automating-certificate-management-in-a-kubernetes-environment/

[pleshakov]

The primary use case that NKG supports - TLS termination, which is configured in the Gateway resource by referencing TLS Secrets.

How those TLS Secrets are obtained -- NKG doesn't really care -- it just cares that they exist and valid. They can be provisioned using cert-manager or any other software that can provision them.

Additionally, so far, although we didn't test it fully, it doesn't look like cert-manager needs any special configuration from us -- it integrates with the Gateway resource directly (in contrast with NIC and its VirtualServer resource, where cert-manager config needs to be added to VirtualServer).

Considering that, I think that is more important to cover our primary use case (TLS termination) and don't spend much time into covering something that we don't do and support -- certificate management.

Having a doc with a list of integrations where cert-manager is one of them would be enough imho, with a link to its documentation on how to use it with the Gateway API -- because cert-manager is a popular project and people will be asking if NKG integrates with it.

[brianehlert]

NIC with VirtualServer is a special case - a bespoke CRD.
NIC with Ingress "just works" - to Michael's point, we get it for free from the cert-manager project building the integration for the Ingress object.
In theory, nothing should be necessary.

[ciarams87]

Maybe this could be a blog post instead? Similar to the blog linked above (which covers Ingress and VirtualServer), maybe we could do a follow up to continue that guide.

[pleshakov]

is the real use case here supporting Let's Encrypt?

If we put it that way, NKG can support TLS termination using certificates from Let's Encrypt using cert-manager (as an enabler).

This could be a guide :)

Maybe this could be a blog post instead?

If we frame it as a use case, I think the guide is better, because it will be easier to find in our docs

[brianehlert]

is the real use case here supporting Let's Encrypt

Not really, we don't "support" Let's Encrypt through the support organization nor through the project. Nor did we have to build any specific integration.

If we frame it as a use case

It is absolutely a use case. Let's Encrypt supports the Gateway API, like it supports the Ingress object. It should technically be documented by Let's Encrypt, but there is no harm in us producing a blog about the use case.