Skip to content

Commit

Permalink
update docs
Browse files Browse the repository at this point in the history
Signed-off-by: Pablo RUTH <contact@pablo-ruth.fr>
  • Loading branch information
pablo-ruth committed Jan 18, 2022
1 parent 7bbf01b commit 865a179
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 6 deletions.
3 changes: 3 additions & 0 deletions site/content/docs/main/config/annotations.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ The `ingress.kubernetes.io/force-ssl-redirect` annotation takes precedence over
- `projectcontour.io/retry-on`: [The conditions for Envoy to retry a request][5]. See also [possible values and their meanings for `retry-on`][6].
- `projectcontour.io/tls-minimum-protocol-version`: [The minimum TLS protocol version][7] the TLS listener should support. Valid options are `1.3`, `1.2` (default), `1.1`.
- `projectcontour.io/websocket-routes`: [The routes supporting websocket protocol][8], the annotation value contains a list of route paths separated by a comma that must match with the ones defined in the `Ingress` definition. Defaults to Envoy's default behavior which is `use_websocket` to `false`.
- `projectcontour.io/tls-cert-namespace`: The namespace where all TLS secrets of this Ingress are searched. This is necessary to use [TLS Certificate Delegation][18] with Ingress v1 because the slash notation (ex: different-ns/app-cert) used by HTTPProxy and Ingress v1beta1 is not accepted. See [this issue][19] for details.

## Contour specific Service annotations

Expand Down Expand Up @@ -88,3 +89,5 @@ A [Kubernetes Service][9] maps to an [Envoy Cluster][10]. Envoy clusters have ma
[15]: fundamentals.md
[16]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-virtualhost-require-tls
[17]: api/#projectcontour.io/v1.UpstreamValidation
[18]: ../config/tls-delegation/
[19]: https://github.com/projectcontour/contour/issues/3544
41 changes: 35 additions & 6 deletions site/content/docs/main/config/tls-delegation.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@

In order to support wildcard certificates, TLS certificates for a `*.somedomain.com`, which are stored in a namespace controlled by the cluster administrator, Contour supports a facility known as TLS Certificate Delegation.
This facility allows the owner of a TLS certificate to delegate, for the purposes of referencing the TLS certificate, permission to Contour to read the Secret object from another namespace.
Delegation works for both HTTPProxy and Ingress v1beta1 resources (however it does not work with Ingress v1).
TLS Certificate Delegation is not currently supported on Ingress v1 resources due to changes in the spec that make this impossible.
See [this issue][0] for details.
Delegation works for both HTTPProxy and Ingress resources, however it needs an annotation to work with Ingress v1.

The [`TLSCertificateDelegation`][1] resource defines a set of `delegations` in the `spec`.
Each delegation references a `secretName` from the namespace where the `TLSCertificateDelegation` is created as well as describing a set of `targetNamespaces` in which the certificate can be referenced.
Expand All @@ -24,7 +22,13 @@ spec:
- secretName: another-com-wildcard
targetNamespaces:
- "*"
---
```
In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `admin` namespace has been delegated to HTTPProxy and Ingress objects in the `example-com` namespace.
Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy and Ingress objects in the cluster.

To reference the secret from an HTTPProxy or Ingress v1beta1 you must use the slash syntax in the `secretName`:
```yaml
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
Expand All @@ -41,8 +45,33 @@ spec:
port: 80
```

In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `admin` namespace has been delegated to HTTPProxy objects in the `example-com` namespace.
Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy objects in the cluster.
To reference the secret from an Ingress v1 you must use the `projectcontour.io/tls-cert-namespace` annotation:
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
projectcontour.io/tls-cert-namespace: www-admin
name: www
namespace: example-com
spec:
rules:
- host: foo2.bar.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: s1
port:
number: 80
tls:
- hosts:
- foo2.bar.com
secretName: example-com-wildcard
```


[0]: https://github.com/projectcontour/contour/issues/3544
[1]: /docs/{{< param version >}}/config/api/#projectcontour.io/v1.TLSCertificateDelegation

0 comments on commit 865a179

Please sign in to comment.