Skip to content

Kubernetes: properly reuse tls certificates ⚠️ #1234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 20, 2025
Merged

Kubernetes: properly reuse tls certificates ⚠️ #1234

merged 8 commits into from
Oct 20, 2025

Conversation

@YuryHrytsuk
Copy link
Collaborator

@YuryHrytsuk YuryHrytsuk commented Oct 17, 2025
edited
Loading

What do these changes do?

Generate certificate once and store them in global default traefik TLS Store

Implementation detail

  1. we generate certificates by explicitly defining certificate resource
    in cert-manager (this is configured via helm chart values)
  2. we copy generated secrets (containing certitificates) from cert-manager namespace to traefik namespace
    via reflector (this is achieved via secretTemplate annotations)
  3. traefik explicitly defines TLS Store that references secrets
    containing certificates (tlsStore is configured in helm chart values)

Implications

  • we don't need to specify TLS section in ingress objects anymore as traefik automatically matches domain with registered in TLS Store certificates

Bonus:

  • Add HELMFILE_EXTRA_ARGS variable to Makefile to pass options to helmfile CLI if necessary
  • Merge traefik values (we get rid of insecure configuration)
  • Add pod security standard to reflector
  • Update reflector watcher timeout (implication: if mirrored secret is removed, it will be copied again faster (<= 30 seconds))

Actions required

  • Manually remove monitoring certificate, secret, order and certificaterequests from all affected workloads (e.g. portainer)
  • Update reflector namespace (add pod security standard annotation)

To do / answer

  • rearrange traefik chart values
  • polish cert manager certificate file
  • what happens if mirrored secret is manually deleted? will it be copied again? --> it will be (watcher timeout setting)
  • how to force renew certificate --> https://cert-manager.io/docs/reference/cmctl/#renew

Related issue/s

Related PR/s

Checklist

  • I tested and it works

@YuryHrytsuk
Kubernetes: properly reuse tls certificates
8def09d 
Traefik does not properly work when ingress'es in multiple namespaces use the same tls
certificate. See more in
traefik/traefik#12116. This works around the
problem by manually defining certificates and uploading them to
TLSStore. Ingress'es use TLSStore under the hood.

Implementation detail:
1) we generate certificates by explicitly defining certificate resource
   in cert-manager
2) we copy generated secrets (containing certitificates) to traefik
   namespace via reflector
3) traefik explicitly defines TLSStore that references secrets
   (containing certificates)

Bonus:
- Add HELMFILE_EXTRA_ARGS variable to Makefile to pass options to
  helmfile CLI if necessary

Related issue/s
- closes ITISFoundation#1228

Related PR/s
- configuration ...
@YuryHrytsuk YuryHrytsuk added this to the Imparable milestone Oct 17, 2025
@YuryHrytsuk YuryHrytsuk self-assigned this Oct 17, 2025
@YuryHrytsuk YuryHrytsuk added t:bug Something isn't working p:high-prio labels Oct 17, 2025
@YuryHrytsuk YuryHrytsuk changed the title Kubernetes: properly reuse tls certificates Kubernetes: properly reuse tls certificates ⚠️ Oct 17, 2025
@YuryHrytsuk YuryHrytsuk force-pushed the kubernetes-reuse-tls-certs branch from 413f10a to 6fc601d Compare October 17, 2025 11:48
@YuryHrytsuk YuryHrytsuk mentioned this pull request Oct 17, 2025
Closed
2 tasks
mrnicegyu11
mrnicegyu11 reviewed Oct 20, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 approved these changes Oct 20, 2025
View reviewed changes
Copy link
Member

@mrnicegyu11 mrnicegyu11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks solid, thanks for the verbose PR description. 🚀 🎸

@YuryHrytsuk YuryHrytsuk merged commit 239508b into ITISFoundation:main Oct 20, 2025
2 of 4 checks passed
@YuryHrytsuk YuryHrytsuk deleted the kubernetes-reuse-tls-certs branch October 20, 2025 09:28
@YuryHrytsuk YuryHrytsuk mentioned this pull request Oct 28, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrnicegyu11 mrnicegyu11 mrnicegyu11 approved these changes

Assignees

@YuryHrytsuk YuryHrytsuk

Labels

p:high-prio t:bug Something isn't working

Projects

None yet

Milestone

Imparable

Development

Successfully merging this pull request may close these issues.

Kubernetes: properly reuse TLS certificates

2 participants

@YuryHrytsuk @mrnicegyu11