Closed jrobsonchase closed 1 month ago
Looks to be working as expected:
failed to reconnect session {"obj": "csess", "id": "0eb6ded7abdf", "err": "failed to send authentication request: tls: failed to verify certificate: x509: certificate signed by unknown authority"}
with the standard agent ingress, which uses the internal ngrok CA rather than Let's Encrypt.
From meeting today:
root_cas
option with similar semantics to the agent: https://ngrok.com/docs/ngrok-agent/config/#root_casinternal
and use the cert baked into ngrok-go. Caveat: if the special local directories exist and have certs, those will be used instead (same behavior as the controller currently uses).host
option will use host certs, as this PR makes possible.root_cas
will throw an error. In the future we may build functionality to refer to a k8s object here.A table @jrobsonchase made of options, for posterity. We're going with the middle option:
closes: #369
What
Utilizes the
trusted
orhost
CA as the source of truth via a helm install flag.How
Takes an install option for
--set rootCAs=host
and plumb theisHostCA
check into thecaCerts
for it to just get the host certs.Verification
--set rootCAs host
and make deploy, no controller errors ✅ and can play example--set rootCAs host
with canonical 2048 example without cert gives errors in controller--set rootCAs trusted
no errors and plays 2048 as expected