kcp-ci-bot
commented
9 months ago LGTM label has been added. Git tree hash: 5e19c2849308b10bd02d10a7a56381dd435e8dab
Closed xrstf closed 9 months ago
kcp-ci-bot
commented
9 months ago LGTM label has been added. Git tree hash: 5e19c2849308b10bd02d10a7a56381dd435e8dab
kcp-ci-bot
commented
9 months ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: embik
The full list of commands accepted by this bot can be found here.
The pull request process is described here
We just noticed that all CA certs were just valid for 90 days, which caused quite some fun in our development environment. While debugging this, we also noticed that my change #56 was just plain wrong.
cert-manager puts the root CA into the
ca.crtkey in any Secret, not the CA that signed whatever the Certificate was. So if you have root CA, intermediate CA and then leaf certificate,ca.crtis the root CAtls.crtis the full chain (i.e. intermediate + leaf)This means that my intent to, for example, mount the
kcp-certand use its CA was not actually chosing the CA that signedkcp-cert(kcp-ca), but instead the root CA (kcp-pki-ca).This PR fixes this by adjusting all the volume mounts and paths to directly mount the CA certificate Secrets and never using
ca.crtat all. This PR also extends the lifetime for all CAs to 10 years.Additionally, I did not notice that we recently changed the
kcp-server-client-issuerto bekcp-front-proxy-client-issuerand our diagram was misleading. To improve this I replaced it now with a Mermaid diagram, which should be easier to maintain in the future.Lastly, I made the secret names a bit more consistent, as I often lost track of what Secret Cert something something tls.ca.crt was actually going on. The term
bootstrapis now not used anymore for CAs and the common name matches the Certificate name. Also, all Secrets for regular certificates now have a-certsuffix.I ran all this through
hack/setup-kind.shand both kcp and the front-proxy came up just fine, so :crossed_fingers:As this PR changes some cert secret names and adjusts the paths inside the kubeconfigs, this is a breaking change.