Replace issuer with CA issuer#679
Merged
azgabur merged 2 commits intoKuadrant:mainfrom Jun 12, 2025
Merged
Conversation
averevki
reviewed
Jun 2, 2025
azgabur
changed the title
Signed-off-by: Alex Zgabur <azgabur@redhat.com>
Signed-off-by: Alex Zgabur <azgabur@redhat.com>
azgabur
commented
Jun 10, 2025
averevki
approved these changes
Jun 11, 2025
Contributor
averevki
left a comment
averevki
left a comment
There was a problem hiding this comment.
LGTM! Will it require any change inside the testsuite pipelines? I guess not, because it was multicluster who wasn't been accepting the self-signed issuer, as far as I remember, so I guess it will just be a fixture less from now on
Member
Author
Nope, I added the CA in Kuadrant/helm-charts-olm@b9128fb to helm install and pipeline always uses most recent version. Only additional thing to do is to add the CA issuer on clusters that had not been deployed with the newer version of helm chart. I will inform on Slack |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently multicluster tests use as TLS issuer the Letsencrypt. There are connected quotas and long delays for the issuing process making the tests take much longer time to finish.
Additionally the Letsencrypt issuer should only be used in test
test_external_caas in any other case we do not care about the type of issuer.Adding a known CA that will issue test certificates we can simplify TlsPolicy testing.
Maybe in the future the selfsinged-issuer can be fully replaced by this CA issuer and the logic inedit: I replaced the selfsigned-issuer with the CA issuer as it should not cause any additional problems.Hostnameclass that fetches certificate from cluster at runtime will no longer be needed. For now I only changed the multicluster tests where it was mainly needed.A testing CA is part of helm-install since Kuadrant/helm-charts-olm@b9128fb