Contour controlls CRDs called HTTProxy. However, ExternalDNS
and cert-manager does not recognize it unlike the standard Ingress.
Fortunately, ExternalDNS can watch arbitrary CRD resources and manages external
DNS service such as AWS Route53 according to the CRD contents. An example of
such a CRD is DNSEndpoint.
Similarly, cert-manager watches Certificate CRD and issues
TLS certificates.
- Automatic DNS record management for
HTTPProxy - Automatic TLS certificate issuance for
HTTPProxy
Create a custom controller / operator called contour-plus that watches HTTPProxy
and IP address of the load balancer (Service) for Contour.
When a new HTTPProxy wants a FQDN to be routed, contour-plus creates
DNSEndpoint for ExternalDNS. If a new HTTPProxy wants a TLS certificate,
contour-plus creates Certificate for cert-manager.
When an existing HTTPProxy is updated or removed, contour-plus updates or
deletes corresponding DNSEndpoint and/or Certificate.
This way, DNS records can be managed and TLS certificates can be issued automatically.
Contour provides Go types and API to manage HTTPProxy resource:
cert-manager provides Go types and API to manage Certificate resource:
ExternalDNS provides Go types for DNSEndpoint, but does not provide strictly-typed
API client. Therefore, contour-plus uses kubebuilder to generate strictly-typed
API client for itself.