Closed tmshort closed 2 months ago
Name | Link |
---|---|
Latest commit | 5eea0725abebc3df0430037d7a384a65be7762b2 |
Latest deploy log | https://app.netlify.com/sites/olmv1/deploys/669ac31547b423000860d4e7 |
Deploy Preview | https://deploy-preview-1062--olmv1.netlify.app |
Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
This also adds a unit-test for an empty cert dir, and for an expired certificate. And also adds an e2e to make sure secret updates and rotations actually work.
Attention: Patch coverage is 71.28713%
with 29 lines
in your changes missing coverage. Please review.
Project coverage is 72.67%. Comparing base (
775613f
) to head (5eea072
). Report is 2 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
TLDR: it looks like there is no equivalent of
GetClientCertificate
/GetCertificate
, but for root CAs in TLS config in standard library, but it is possible to implement a workaround withVerifyPeerCertificate
. This would require settingInsecureSkipVerify
totrue
and re-implementing the standard verification inVerifyPeerCertificate
as far as I understand - see this example from Go docs.
And we really don't want to do that (set InsecureSkipVerify
) by default. And reimplementing the verification code is probably not worth it, when we can just offer up the updated certificate pool on demand.
And we really don't want to do that (set
InsecureSkipVerify
) by default. And reimplementing the verification code is probably not worth it, when we can just offer up the updated certificate pool on demand.
Setting InsecureSkipVerify
to true
and VerifyPeerCertificate
means that we take over the responsibility of verifying the certs from standard library. That's not great, but it is not a lot of code (see standard library code, and client example from the docs). It doesn't sounds too terrible to me, so I'm open to consider this.
As far as I understand in this implementation we are re-creating a client each time and will have to establish a connection each we use it which is not optimal.
I don't know how significantly it will affect our performance. One one hand - creating new connections every time is not great, but on the other hand - not sure if we are going to benefit from re-using the connection in these use cases.
Fixes #915 Mounted secrets are automatically updated into pods, but...
subPath
mountingssubPath
is not used, then a bunch of directories are mountedIsDir()
returns falseSo, update the certificate volume patch, which requires a change in how we look for certificates in the CA cert directory.
Add a watch, so when the certs do change, we update the cert pool. Also look at validity dates of certificates, and error on expired certs.
The default cert-manager certificates have 90 days validities.
Description
Reviewer Checklist