Skip to content
This repository was archived by the owner on Mar 16, 2024. It is now read-only.

fix: honor --lets-encrypt=disabled and reduce certs logging #914

Merged
merged 1 commit into from
Nov 22, 2022
Merged

fix: honor --lets-encrypt=disabled and reduce certs logging #914

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions pkg/controller/tls/certs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"strings"

v1 "github.com/acorn-io/acorn/pkg/apis/internal.acorn.io/v1"
"github.com/acorn-io/acorn/pkg/config"
"github.com/acorn-io/acorn/pkg/labels"
"github.com/acorn-io/acorn/pkg/system"
"github.com/acorn-io/baaah/pkg/router"
Expand All @@ -20,7 +21,7 @@ import (

// ProvisionWildcardCert provisions a Let's Encrypt wildcard certificate for *.<domain>.on-acorn.io
func ProvisionWildcardCert(req router.Request, domain, token string) error {
logrus.Infof("Provisioning wildcard cert for %v", domain)
logrus.Debugf("Provisioning wildcard cert for %v", domain)
// Ensure that we have a Let's Encrypt account ready
leUser, err := ensureLEUser(req.Ctx, req.Client)
if err != nil {
Expand Down Expand Up @@ -51,16 +52,14 @@ func RequireSecretTypeTLS(h router.Handler) router.Handler {
func RenewCert(req router.Request, resp router.Response) error {
sec := req.Object.(*corev1.Secret)

logrus.Infof("Renewing certificate for %v", sec.Name)

leUser, err := ensureLEUser(req.Ctx, req.Client)
if err != nil {
return err
}

// Early exit if existing cert is still valid
if !leUser.mustRenew(sec) {
logrus.Infof("Certificate for %v is still valid", sec.Name)
logrus.Debugf("Certificate for %v is still valid", sec.Name)
return nil
}

Expand All @@ -70,7 +69,7 @@ func RenewCert(req router.Request, resp router.Response) error {

// Do not start a new challenge if we already have one in progress
if !lockDomain(domain) {
logrus.Infof("not starting certificate renewal: %v: %s", ErrCertificateRequestInProgress, domain)
logrus.Debugf("not starting certificate renewal: %v: %s", ErrCertificateRequestInProgress, domain)
return
}
defer unlockDomain(domain)
Expand Down Expand Up @@ -109,6 +108,18 @@ func RenewCert(req router.Request, resp router.Response) error {
// Note: this does not actually provision the certificates, it just creates the empty secret
// which is picked up by the route handled by RenewCert above
func ProvisionCerts(req router.Request, resp router.Response) error {

cfg, err := config.Get(req.Ctx, req.Client)
if err != nil {
return err
}

// Early exit if Let's Encrypt is not enabled
// Just to be on the safe side, we check for all possible allowed configuration values
if strings.EqualFold(*cfg.LetsEncrypt, "disabled") {
return nil
}

appInstance := req.Object.(*v1.AppInstance)

appInstanceIDSegment := strings.SplitN(string(appInstance.GetUID()), "-", 2)[0]
Expand Down Expand Up @@ -150,7 +161,7 @@ func (u *LEUser) provisionCertIfNotExists(ctx context.Context, client kclient.Cl
go func() {
// Do not start a new challenge if we already have one in progress
if !lockDomain(domain) {
logrus.Infof("not starting certificate renewal: %v: %s", ErrCertificateRequestInProgress, domain)
logrus.Debugf("not starting certificate renewal: %v: %s", ErrCertificateRequestInProgress, domain)
return
}
defer unlockDomain(domain)
Expand Down
8 changes: 3 additions & 5 deletions pkg/controller/tls/letsencrypt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,6 @@ func (u *LEUser) register() error {
}
u.registration = reg

logrus.Infof("registered LE User: %s", u.email)

return nil

}
Expand Down Expand Up @@ -268,7 +266,7 @@ func ensureLEUser(ctx context.Context, client kclient.Client) (*LEUser, error) {
return nil, fmt.Errorf("problem creating Let's Encrypt User secret: %w", err)
}

logrus.Infoln("Registered Let's Encrypt User")
logrus.Infof("Registered Let's Encrypt User: %s", newLEUser.email)

return newLEUser, nil

Expand Down Expand Up @@ -321,7 +319,7 @@ func lockDomain(domain string) bool {
CertificatesRequestLock.Lock()
if _, ok := CertificateRequests[domain]; ok {
CertificatesRequestLock.Unlock()
logrus.Infof("certificate for domain %s is already being requested, waiting for it to be ready", domain)
logrus.Debugf("certificate for domain %s is already being requested, waiting for it to be ready", domain)
return false
}

Expand Down Expand Up @@ -358,7 +356,7 @@ func stillValid(cert []byte) bool {
timeToExpire := x509crt.NotAfter.Sub(time.Now().UTC())
if timeToExpire > 7*24*time.Hour {
// (b) cert is still valid for more than 7 days -> good to go
logrus.Infof("certificate for %s is still valid until %s (%d hours)", x509crt.Subject.CommonName, x509crt.NotAfter, int(timeToExpire.Hours()))
logrus.Debugf("certificate for %s is still valid until %s (%d hours)", x509crt.Subject.CommonName, x509crt.NotAfter, int(timeToExpire.Hours()))
return true
} else {
// (c) cert is expired -> renew
Expand Down