https://pulumi.com logo
#azure
Title
# azure
d

damp-honey-93158

07/24/2022, 9:10 PM
OK, here's a challenge question: I've created an AKS cluster, it uses cert-manager and external-dns in order to provision certs for ingress rules via Lets Encrypt. We are very much using "ephemeral" environments - so clusters come and go frequently. This in turn causes us to hit the Lets Encrypt rate limits rather quickly. We have a multitude of projects using this ephemeral style setup - and each one uses a simple subdomain from a wildcard cert we have for their project. For example; if my project is called "cats", then my DNS subdomain (for which I'll have an Azure DNS Zone) would be cats.contoso.com - and as a happy developer I'll start provisioning stuff at flying.cats.contoso.com or sleepy.cats.contoso.com and so on. The point being I can do what I want within the "cats" subdomain. Finally my question: how do we ensure we don't hit rate limits? The cert-manager docs indicate that we should simply back up / restore the secrets for the (in our case) ClusterIssuer and the Ingress objects. While this seems conceptually easy (my first reaction was to say: "ok, lets use a key vault for this), it means we have to write code to store / retrieve the secret values. Is this an already solved problem for k8s using LE with cert-manager?
3 Views