Closed xrstf closed 9 months ago
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: embik
The full list of commands accepted by this bot can be found here.
The pull request process is described here
We just noticed that all CA certs were just valid for 90 days, which caused quite some fun in our development environment. While debugging this, we also noticed that my change #56 was just plain wrong.
cert-manager puts the root CA into the
ca.crt
key in any Secret, not the CA that signed whatever the Certificate was. So if you have root CA, intermediate CA and then leaf certificate,ca.crt
is the root CAtls.crt
is the full chain (i.e. intermediate + leaf)This means that my intent to, for example, mount the
kcp-cert
and use its CA was not actually chosing the CA that signedkcp-cert
(kcp-ca
), but instead the root CA (kcp-pki-ca
).This PR fixes this by adjusting all the volume mounts and paths to directly mount the CA certificate Secrets and never using
ca.crt
at all. This PR also extends the lifetime for all CAs to 10 years.Additionally, I did not notice that we recently changed the
kcp-server-client-issuer
to bekcp-front-proxy-client-issuer
and our diagram was misleading. To improve this I replaced it now with a Mermaid diagram, which should be easier to maintain in the future.Lastly, I made the secret names a bit more consistent, as I often lost track of what Secret Cert something something tls.ca.crt was actually going on. The term
bootstrap
is now not used anymore for CAs and the common name matches the Certificate name. Also, all Secrets for regular certificates now have a-cert
suffix.I ran all this through
hack/setup-kind.sh
and both kcp and the front-proxy came up just fine, so :crossed_fingers:As this PR changes some cert secret names and adjusts the paths inside the kubeconfigs, this is a breaking change.