Skip to Main Content
IBM Sustainability Software - Ideas Portal


This portal is to open public enhancement requests against the products and services belonging to IBM Sustainability Software. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Submitted
Created by Guest
Created on Oct 28, 2024

Enhance the MAS Core to seamlessly be able to proxy through CloudFlare by issuing Certificates via their (Cloudflare's) "Origin" issuer

Hello,

CloudFlare itself maintains an "Origin CA Issuer" for Cert Manager that automatically issues and renews CloudFlare Origin Certificates for "backend" servers/services using HTTPS on the OpenShift cluster. 

Its URL is: https://github.com/cloudflare/origin-ca-issuer

Which should allows automatic issuance of "Public" (accepted by the CloudFlare CDN) certificates using the CloudFlare Origin that then can be used to transparently "proxy" HTTPS requests through CloudFlare by making use of the rather strong protections CloudFlare CDN brings for DDoS, caching on the edge, distributed presence via anycast, etc.

That being said, they just don't create a "straight" Cert Manager "Cluster Issuer" but instead use a CRD named "ClusterOriginIssuer" (see deploy/crds/cert-manager.k8s.cloudflare.com_clusteroriginissuers.yaml) and while we can issue certificates using the "ClusterOriginIssuer" by creating the right "Certificate" resource, the YAML refers to a "ClusterOriginIssuer" instead of a "ClusterIssuer" as per usual internally supported Cluster Issuers by Cert Manager.

As the Certificate resources are controlled by the "MAS Core" "Suite" CRD, where there is an entry to specify the "ClusterIssuer" or "Issuer" to use, there is no extension point allowed to use a "ClusterOriginIssuer" instead of a "ClusterIssuer" (or just an "OriginIssuer" vs "Issuer", which we don't prefer for "Public" Certificates as they are project/namespace scoped) in the "Suite" CR under "spec/certificateIssuer/name". 

Note: We have successfully configured a different (non CloudFlare maintained) older fork of the CloudFlare implementation that is compatible with the MAS Core and can be found and its implementation is located at https://github.com/penumbra23/origin-ca-cluster-issuer. However, we do prefer to use the CloudFlare released implementation.

Therefore, asking IBM to consider this as an enhancement to the MAS Core Automatic Certificate Management.

Thanks,

Julio.

Idea priority Medium
Needed By Quarter