idealized design of config

[progrium]

Notes from our conversation on simplifying configuration to almost no (separate) configuration!

• Make Let's Encrypt account email be set via environment variable
• Specify in environment a secret name to be used to generate/persist a Let's Encrypt key
• Put certificate domain(s) and certificate secret name in annotations of deployments (and potentially other resources types?)
• Certs are stored as they are now in a TLS secret, with name specified by annotation

[progrium]

Quick thoughts while writing this up... if the deployment needs to mount the tls secret, but the secret is created by the certdaemon only after a deployment is made, is there a circular dependency there that might cause the deployment to fail or at best fail and retry until certdaemon does its thing?

[Omeryl]

The deployment is configured, the Pod will pend waiting for the secret. Annotations on the deployment are still accessible.

[progrium]

And this is only the first time you deploy. Once the tls secret is made, this problem goes away. Sounds reasonable, assuming pod will sit in pending until secret is made.

[Omeryl]

Correct, it’ll go into backoff just like image pulling.