Skip to content

feat: add configurable certificate mount path support #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: add configurable certificate mount path support #361

wants to merge 2 commits into from
+160 −10

Conversation

Yuri0405
Copy link

@Yuri0405 Yuri0405 commented May 30, 2025
edited
Loading

Summary

Adds support for configurable certificate mount paths via the autocert.step.sm/mount-path annotation, enabling integration with Istio and other applications that require certificates in specific locations.

Name of feature:

Configurable Certificate Mount Path

Pain or issue this feature alleviates:

  • Enables integration with Istio service mesh, which expects certificates at specific paths
  • Provides flexibility for applications that need certificates mounted at custom locations
  • Eliminates need for symlinks or file copying to work with different certificate expectations

Why is this important to the project:

  • Expands autocert compatibility with service mesh technologies like Istio
  • Makes autocert more flexible and adaptable to different deployment scenarios
  • Addresses a specific user request for Istio integration (Istio certs ? #256)

Is there documentation on how to use this feature? If so, where?

Yes, comprehensive documentation is provided in CUSTOM_MOUNT_PATH.md including:

  • Usage examples with annotations
  • Custom controller image build instructions
  • Deployment update procedures
  • Verification steps

In what environments or workflows is this feature supported?

  • All Kubernetes environments (local and remote clusters)
  • Particularly useful for Istio service mesh deployments
  • Compatible with existing autocert functionality
  • Works with minikube, kind, GKE, EKS, AKS, etc.

In what environments or workflows is this feature explicitly NOT supported (if any)?

  • Requires custom controller image build until officially released
  • No known compatibility restrictions otherwise

Supporting links/other PRs/issues:

Fixes #256

Usage Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    metadata:
      annotations:
        autocert.step.sm/name: my-app.default.svc.cluster.local
        autocert.step.sm/mount-path: /etc/ssl/certs
    spec:
      containers:
      - name: app
        image: my-app:latest

Yuri0405 added 2 commits May 27, 2025 22:46
@Yuri0405
feat: add configurable mount path feature to controller
2252a3e 
- Add CertMountPath field to Config struct with YAML binding
- Add GetCertMountPath() method with default fallback to original path
- Add mountPathAnnotationKey constant for per-pod mount path overrides
- Update mkBootstrapper and mkRenewer signatures to accept mountPath parameter
- Update patch function to handle global config and per-pod annotation logic
- Update addCertsVolumeMount to use configurable path instead of hardcoded
- Maintain backward compatibility with existing deployments

Enables Istio compatibility and flexible certificate mount paths while
preserving original behavior when no configuration is specified.
@Yuri0405
docs: add configurable mount path feature documentation
94a14a4 
- Document usage of autocert.step.sm/mount-path annotation
- Include custom controller image build instructions
- Add deployment update steps for local and remote clusters
- Provide verification steps for feature testing
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label May 30, 2025
@Yuri0405 Yuri0405 mentioned this pull request Jun 2, 2025
Open
@hslatman hslatman requested a review from maraino June 3, 2025 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino Awaiting requested review from maraino

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Istio certs ?
1 participant
@Yuri0405