You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NSO owns the gateway certificate issuance model — the two paths a Gateway-listener cert can take, the enableDownstreamCertificateSolver / clusterIssuerMap config that selects them, and the failure modes an operator hits when a cert gets stuck. Today none of this is documented in this repo. The knowledge only existed as tribal context in the infra deployment, which is how infra#3410 hid for months: a consumer of NSO reading only the operator docs cannot tell how downstream solving is supposed to behave, so they can't tell a wiring bug from expected behavior.
This is operator-level knowledge — true for anyone running NSO with downstream certificate solving, not just Datum's Karmada deployment. It belongs here, not in infra. Infra should only document its own wiring (how it satisfies the prerequisites across Karmada) and link back to this.
What to document
Suggested home: docs/ (alongside runbooks/), or extend the gateway/certificate config reference.
The two issuance paths for a tenant Gateway listener cert:
Hub / control-plane issue + propagate — cert-manager issues where the operator runs; the resulting Secret is distributed to the dataplane out of band.
Downstream (member) solve — with enableDownstreamCertificateSolver: true, the cert is issued in place on the member via HTTP01, using the ClusterIssuer named by clusterIssuerMap (e.g. auto → <issuer>).
How to tell which path a live cert took (backing Secret provenance).
Config reference — EnableDownstreamCertificateSolver and clusterIssuerMap semantics (internal/config/config.go): what turns on, what the operator expects to already exist on the member (a resolvable ClusterIssuer, solver HTTPRoute/HTTPRouteFilter carrying meta.datumapis.com/http01-solver), and what is the deployer's responsibility to provide vs. what NSO creates.
Failure modes (operator-generic):
Referenced "ClusterIssuer" not found on the member → the issuer named by clusterIssuerMap is absent where the cert is being solved. NSO assumes it exists; providing it is the deployer's job.
HTTP01 challenge stuck pending with self-check wrong status code '404' → challenge presented but the ACME probe never reaches the gateway; typically the hostname's DNS does not point at the gateway. Not an issuer problem.
Automatic re-issuance (feat: add automatic re-issuance of failed custom hostname certificates #259) — document the recovery behavior next to the model: failed custom-hostname Certificates are deleted past retryInterval to GC the whole CertificateRequest/Order/Challenge/solver-route chain and recreate, bounded by maxRetries, count tracked on the downstream Gateway. Critically: it assumes the member can issue — it retries against a missing issuer or off-gateway DNS, it does not fix either.
Why now
infra is trimming its cert docs (infra#3420) to cover only Datum-specific Karmada wiring and link here for the model. Without this doc, that link has no target and the operator-level knowledge stays undocumented.
Problem
NSO owns the gateway certificate issuance model — the two paths a
Gateway-listener cert can take, theenableDownstreamCertificateSolver/clusterIssuerMapconfig that selects them, and the failure modes an operator hits when a cert gets stuck. Today none of this is documented in this repo. The knowledge only existed as tribal context in the infra deployment, which is how infra#3410 hid for months: a consumer of NSO reading only the operator docs cannot tell how downstream solving is supposed to behave, so they can't tell a wiring bug from expected behavior.This is operator-level knowledge — true for anyone running NSO with downstream certificate solving, not just Datum's Karmada deployment. It belongs here, not in infra. Infra should only document its own wiring (how it satisfies the prerequisites across Karmada) and link back to this.
What to document
Suggested home:
docs/(alongsiderunbooks/), or extend the gateway/certificate config reference.The two issuance paths for a tenant
Gatewaylistener cert:Secretis distributed to the dataplane out of band.enableDownstreamCertificateSolver: true, the cert is issued in place on the member via HTTP01, using theClusterIssuernamed byclusterIssuerMap(e.g.auto → <issuer>).Secretprovenance).Config reference —
EnableDownstreamCertificateSolverandclusterIssuerMapsemantics (internal/config/config.go): what turns on, what the operator expects to already exist on the member (a resolvableClusterIssuer, solverHTTPRoute/HTTPRouteFiltercarryingmeta.datumapis.com/http01-solver), and what is the deployer's responsibility to provide vs. what NSO creates.Failure modes (operator-generic):
Referenced "ClusterIssuer" not foundon the member → the issuer named byclusterIssuerMapis absent where the cert is being solved. NSO assumes it exists; providing it is the deployer's job.pendingwith self-checkwrong status code '404'→ challenge presented but the ACME probe never reaches the gateway; typically the hostname's DNS does not point at the gateway. Not an issuer problem.Automatic re-issuance (feat: add automatic re-issuance of failed custom hostname certificates #259) — document the recovery behavior next to the model: failed custom-hostname
Certificates are deleted pastretryIntervalto GC the wholeCertificateRequest/Order/Challenge/solver-route chain and recreate, bounded bymaxRetries, count tracked on the downstreamGateway. Critically: it assumes the member can issue — it retries against a missing issuer or off-gateway DNS, it does not fix either.Why now
infra is trimming its cert docs (infra#3420) to cover only Datum-specific Karmada wiring and link here for the model. Without this doc, that link has no target and the operator-level knowledge stays undocumented.
Related