Create redirects for cert-manager annotations#1696
Create redirects for cert-manager annotations#1696cert-manager-prow[bot] merged 8 commits intocert-manager:masterfrom
Conversation
jsoref
commented
May 16, 2025
jsoref
commented
- closes Create redirects for cert-manager annotations #1695
cert-manager-prow
bot
added
dco-signoff: yes
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
jsoref
force-pushed
the
annotations
branch
5 times, most recently
from
760f9a2 to
0df5e31
Compare
|
The items I'm adding in https://github.com/cert-manager/website/compare/760f9a2acd142c1769b3b0abb2f6836de0d9eacc..0df5e31ae1be5665f4031951264453529e4b845e don't appear to be documented in the places I'd expect...
|
cert-manager-prow
bot
added
size/XL
| ## cert-manager.io/inject-apiserver-ca | ||
|
|
||
| cause the `cainjector` to inject the **CA certificate** for the Kubernetes apiserver into the resource. | ||
|
|
||
| ## cert-manager.io/inject-ca-from | ||
|
|
||
| cause the `cainjector` to inject a certificate with **CA certificate**. ?? | ||
|
|
||
| ## cert-manager.io/inject-ca-from-secret | ||
|
|
||
| cause the `cainjector` to inject a **CA Certificate** from a secret. |
There was a problem hiding this comment.
I guess this stuff is documented in content/docs/concepts/ca-injector.md and I'll have to copy some content over and add cross links
| ## cert-manager.io/next-private-key | ||
| - `Secret` | ||
|
|
||
| indicates the secret contains the private key for a certificate request issuance. |
There was a problem hiding this comment.
This is undocumented
|
@jsoref There are also annotations that we add on the Secrets that we create (see https://github.com/cert-manager/cert-manager/blob/b80ca21f7e3b08c83b5cb546bfe4bff7a52c4975/pkg/apis/certmanager/v1/types.go) |
These are two that I found are missing:
|
jsoref
force-pushed
the
annotations
branch
2 times, most recently
from
3a5a3d9 to
d37764f
Compare
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
* cert-manager.io * acme.cert-manager.io * experimental.cert-manager.io * venafi.cert-manager.io Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
SgtCoDFish
left a comment
SgtCoDFish
left a comment
There was a problem hiding this comment.
/lgtm
/approve
I think this is an improvement as-is and I recognise this has been open for a while. I have a few suggestions, but none are blockers and one of them (the redirect domain) might need this to be merged so it can be tested.
My instinct is to merge this and then if there are any tweaks needed to fix it after merging, so I'm going to approve this now with a hold - feel free to unhold so we can merge for testing!
| # There should be cnames to cert-manager.io (as well as configuration in netlify) for each of these | ||
| # to enable these to work in the same manner. |
There was a problem hiding this comment.
suggestion: We could link here to where the CNAMEs are defined: https://github.com/cert-manager/infrastructure/blob/2d77f6b97249f4d41cd5547ad90f0e2f4ffd6c58/gcp/general_dns_cert-manager.tf
Not a blocker, but it makes sense to me to link the two.
| # note that the kubernetes.io entries will not have real CNAMEs and are merely for consistency, but if someone does talk to this netifly instance, it should work. | ||
| https://kubernetes.io/ingress.class /docs/configuration/annotations#kubernetesio/ingressclass 301! | ||
| https://kubernetes.io/tls-acme /docs/configuration/annotations#kubernetesio/tls-acme 301! |
There was a problem hiding this comment.
suggestion: I don't think we should list these kubernetes ones as entries here, since we can never make these work for our domain. I'm OK with them being here as comments, but I find this more confusing to have actual redirect rules listed for a domain we don't control.
| https://acme.cert-manager.io/http01-edit-in-place /docs/configuration/annotations#acmecert-managerio/http01-edit-in-place 301! | ||
| https://acme.cert-manager.io/http01-ingress-class /docs/configuration/annotations#acmecert-managerio/http01-ingress-class 301! | ||
|
|
||
| https://experimental.cert-manager.io/request-duration /docs/configuration/annotations#experimentalcert-managerio/request-duration 301! | ||
| https://experimental.cert-manager.io/request-is-ca /docs/configuration/annotations#experimentalcert-managerio/request-is-ca 301! | ||
| https://experimental.cert-manager.io/private-key-secret-name /docs/configuration/annotations#experimentalcert-managerio/private-key-secret-name 301! | ||
|
|
||
| https://venafi.cert-manager.io/custom-fields /docs/configuration/annotations#venaficert-managerio/custom-fields 301! | ||
| https://venafi.cert-manager.io/pickup-id /docs/configuration/annotations#venaficert-managerio/pickup-id 301! |
There was a problem hiding this comment.
suggestion: I'm pretty sure that as written these rules will still keep the subdomain in the address; e.g. https://venafi.cert-manager.io/pickup-id will redirect to https://venafi.cert-manager.io/docs/configuration/annotations#venaficert-managerio/pickup-id. We might need to add https://cert-manager.io as a prefix to the targets - but I'm not 100% sure and maybe the best thing to do is merge and fix if it's wrong.
There was a problem hiding this comment.
Now this is live I tried https://experimental.cert-manager.io/request-duration which redirected me to https://experimental.cert-manager.io/docs/configuration/annotations#experimentalcert-managerio/request-duration and the path is wrong as well as the domain (it 404s)
| https://acme.cert-manager.io/http01-edit-in-place /docs/configuration/annotations#acmecert-managerio/http01-edit-in-place 301! | ||
| https://acme.cert-manager.io/http01-ingress-class /docs/configuration/annotations#acmecert-managerio/http01-ingress-class 301! | ||
|
|
||
| https://experimental.cert-manager.io/request-duration /docs/configuration/annotations#experimentalcert-managerio/request-duration 301! | ||
| https://experimental.cert-manager.io/request-is-ca /docs/configuration/annotations#experimentalcert-managerio/request-is-ca 301! | ||
| https://experimental.cert-manager.io/private-key-secret-name /docs/configuration/annotations#experimentalcert-managerio/private-key-secret-name 301! | ||
|
|
||
| https://venafi.cert-manager.io/custom-fields /docs/configuration/annotations#venaficert-managerio/custom-fields 301! | ||
| https://venafi.cert-manager.io/pickup-id /docs/configuration/annotations#venaficert-managerio/pickup-id 301! |
There was a problem hiding this comment.
suggestion: For the subdomain redirects, should we have a catch-all redirect for unknown paths to https://cert-manager.io/docs ? Does that make sense?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
|
I... didn't add the hold. So I guess we can just fix anything we find :D |
|
|
||
| # There should be cnames to cert-manager.io (as well as configuration in netlify) for each of these | ||
| # to enable these to work in the same manner. | ||
| https://acme.cert-manager.io/http01-edit-in-place /docs/configuration/annotations#acmecert-managerio/http01-edit-in-place 301! |
There was a problem hiding this comment.
| https://acme.cert-manager.io/http01-edit-in-place /docs/configuration/annotations#acmecert-managerio/http01-edit-in-place 301! | |
| https://acme.cert-manager.io/http01-edit-in-place https://cert-manager.io/docs/reference/annotations#acmecert-manageriohttp01-edit-in-place 301! |
| ## cert-manager.io/alt-names | ||
| - [Certificate](../usage/certificate.md) | ||
|
|
||
| this annotation allows you to configure `spec.dnsNames` field for | ||
| the Certificate to be generated. | ||
| Supports comma-separated values e.g. "example.com,example.org" |
There was a problem hiding this comment.
I came across this today, I'm not sure I understand this annotation.
Doesn't cert-manager.io/alt-names belong to the Secret resource?
Looking at internal/controller/certificates/secrets.go, the only place this annotation is ever used is when the "secret" controller creates a Secret out of a given Certificate.
This annotation can't be used in the Issuer's secretTemplate, either.
I think the description should be:
| ## cert-manager.io/alt-names | |
| - [Certificate](../usage/certificate.md) | |
| this annotation allows you to configure `spec.dnsNames` field for | |
| the Certificate to be generated. | |
| Supports comma-separated values e.g. "example.com,example.org" | |
| ## cert-manager.io/alt-names | |
| - Secret | |
| This annotation is managed by cert-manager and appears on the Secret resource. It is copied by cert-manager from the Certificate's `spec.dnsNames`. |
I've seen people looking for ways to add extra SANs in cert-manager/cert-manager#5897 and cert-manager/cert-manager#6190, but this feature hasn't landed yet.
WDYT? @jsoref
There was a problem hiding this comment.
@maelvls: Yes, I think that's right. Although I wish spec.dnsNames was a link to something.
4 participants
