When pod is recreated there is created a new CertificateRequest -> letsencrypts limits are exceeded very fast about csi-driver HOT 4 CLOSED

This is as-expected. The CSI driver works by submitting a CertificateRequest to the cert-manager API, which as you've noted will result in a new Order being made with the Let's Encrypt server.

Typically, users don't use the CSI driver for certificates from a public authority like this. Instead, some form of private authority (e.g. the 'CA', 'Vault', 'Venafi' or even 'selfsigned' issuer.

Given the CSI driver also generates the private key data upon startup, there isn't a way you could have a single re-usable certificate between pod restarts unless the private key were also to be stored somewhere too. At that point, as you've already mentioned, you're basically doing the same as using a 'Certificate' resource and storing that keypair in a Secret.

If you wanted to experiment in this space at a lower level, and possibly create your own private key & certificate distribution mechanisms, you could look at building your own CSI driver and Issuer using the csi-lib project. However this isn't something that we are aiming to support here at least.

from csi-driver.

@munnerz Ok! Thank you for clarifications! And one more question related to cert-manager.

We have a situation that we try to create an internal application, which has no outside 'Ingress', but has only 'Service' of internal Load Balancer type (i.e. we have a Load Balancer for our service, which sends traffic directly into Pod). Can we create Certificate manually in kubernetes for such entity (i.e. Service) like cert-manager does? If we can, would it be also auto-renewed with default cert-manager mechanism?

from csi-driver.

Yes, though you'll need to use something like DNS01 to validate you own the domain as cert-manager relies on manipulating Ingress resources to solve HTTP01 challenges :) see https://cert-manager.io/docs/configuration/acme/dns01/

If you've got more questions, it may be best to ask your question over in the #cert-manager channel on kubernetes.slack.com, where you'll hopefully get a lot more opinions/experiences to help you along the way 😄

from csi-driver.

Thank you so much! :)

from csi-driver.