Closed sed-i closed 11 months ago
@ghislainbourgeois have you tried using CSRs that list bare IPs? Did it work for you?
According to this, we need to add x509.KeyUsage
to generate_ca
.
Wdyt @ghislainbourgeois?
Confirmed this works with https://github.com/canonical/traefik-k8s-operator/pull/249.
Issue
When traefik generates a CSR with IP address (this is often the case in testing), then the IP address goes into the DNS section, but according to RFC 2818 (via) it needs to go to a different, dedicated section:
Solution
Keep cert_handler API the same, but internally split the list into ips and hostnames and pass accordingly to
generate_csr
.Tandem PRs:
Possibly depends on:
Context
NTA.
Testing Instructions
Deploy the tandem PRs. Then copy over the external-ca cert, and attempt to curl prometheus via its ingress url, from within the grafana container.
Before https://github.com/canonical/traefik-k8s-operator/pull/249, curl gives
curl: (60) SSL certificate problem: self-signed certificate
andopenssl verify
complains:With the default cert set in traefik, it works.
Release Notes
Split SANs into DNS and IP.