Consider using Google-managed SSL certificates for aaa

[ameukam]

Initial conversation : https://groups.google.com/g/kubernetes-wg-k8s-infra/c/MseI6bUqOfY.

/area cluster-mgmt

EDIT(spiffxp):

FYI @munnerz @rikatz I think we're doing this now? I'm not entirely sure what's tipped us over the edge, other than we're getting cert expiry warnings yet again.

This would obviate work in progress to improve cert-manager:

• https://github.com/kubernetes/k8s.io/pull/1512 - updating to latest
• https://github.com/kubernetes/k8s.io/pull/1746 - syncer to resolve dual-stack
• https://github.com/kubernetes/k8s.io/pull/1739 - cert monitor manifest (maybe?)

And obviate the following issues:

• https://github.com/kubernetes/k8s.io/issues/1476 - cert-manager can't renew k8s-io-prod cert due to second ipv6 ingress
• https://github.com/kubernetes/k8s.io/issues/1508 - update cert-manager

Services on aaa that need to be converted:

• [x] gcsweb (@thockin, https://github.com/kubernetes/k8s.io/pull/2088)
• [ ] k8s-io-canary
• [X] k8s-io-prod (@thockin, https://github.com/kubernetes/k8s.io/pull/2093)
• [X] node-perf-dash (@ameukam, https://github.com/kubernetes/k8s.io/pull/2092)
• [X] perfdash (@spiffxp, https://github.com/kubernetes/k8s.io/pull/2097)
• [X] sippy (@spiffxp, https://github.com/kubernetes/k8s.io/pull/2127)
• [x] slack-infra (@thockin, https://github.com/kubernetes/k8s.io/pull/2090)
• [x] traige-party-release (@ameukam, https://github.com/kubernetes/k8s.io/pull/1942)

[ameukam]

I opened #1942 for Triage-Party

[ameukam]

Things I noticed when I deployed #1942 :

• It takes about 10 minutes before the ManagedCertificate is active
• during those 10 minutes, I got a SSL_ERROR_NO_CYPHER_OVERLAP TLS error

[ameukam]

Current default quota for the SSL certificates: https://console.cloud.google.com/iam-admin/quotas?service=compute.googleapis.com&metric=%22SSL%20certificates%22

https://cloud.google.com/load-balancing/docs/quotas#ssl_certificates.

[spiffxp]

/assign @thockin @spiffxp @ameukam

[spiffxp]

/priority important-soon

[thockin]

sippy is the only old-style cert remaining, except for the self-signed we use in k8s-io-canary (which maybe can just go away?)

[spiffxp]

We could shut down cert-manager, create self-signed cert manually, apply to canary ingress... but problem is every time we add a new domain to the canary domain, we need to regenerate the certificate again.

Other option is to see if we can cover in ManagedCertificate, maybe be complications, not clear how managed certificate controller works.

/milestone v1.23

[ameukam]

/milestone v1.24

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

/remove-lifecycle stale /lifecycle frozen

[ameukam]

/priority important-longterm

[ameukam]

/milestone clear

[ameukam]

/milestone v1.32