Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate temporary certificate to appease ingress-gce #1392

Merged
merged 3 commits into from
Feb 28, 2019
Merged

Generate temporary certificate to appease ingress-gce #1392

merged 3 commits into from
Feb 28, 2019

Conversation

munnerz
Copy link
Member

@munnerz munnerz commented Feb 20, 2019

What this PR does / why we need it:

This PR changes the issuance flow to issue a self signed certificate the has already expired and only valid for the CN cert-manager.local that will be stored in the target Secret resource whilst a certificate is being issued.

Which issue this PR fixes: fixes #1343

Special notes for your reviewer:

This is incomplete due to failing unit tests, and there are some open questions about how we handle setting metadata (e.g. annotations) on the Secret resource wrt this new certificate.

Release note:

Generate temporary self signed certificate whilst waiting for issuer to issue certificate

@jetstack-bot jetstack-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Feb 20, 2019
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added area/acme Indicates a PR directly modifies the ACME Issuer code approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 20, 2019
@munnerz munnerz added this to the v0.7 milestone Feb 21, 2019
@munnerz munnerz added this to In progress in v0.7 Feb 22, 2019
@munnerz munnerz self-assigned this Feb 22, 2019
DanielMorsing
DanielMorsing reviewed Feb 25, 2019
View reviewed changes
pkg/controller/certificates/sync.go Outdated Show resolved Hide resolved
pkg/controller/certificates/sync.go Outdated Show resolved Hide resolved
pkg/controller/certificates/sync.go Outdated Show resolved Hide resolved
@munnerz
Copy link
Member Author

munnerz commented Feb 25, 2019

@DanielMorsing I've updated this PR now to use serial numbers to identify the temporary certificate. As we discussed, I need to update the generateTemporaryCertificate method to generate a temporary, one time CA and then use that to sign the temporary certificate.

I'll have that update ready later on 😄 but this is ready for some eyes now 👀

@munnerz munnerz added kind/feature Categorizes issue or PR as related to a new feature. and removed area/acme Indicates a PR directly modifies the ACME Issuer code labels Feb 25, 2019
@munnerz
Generate a temporary certificate whilst waiting for Issuer to issue
cf2f9ea 
Signed-off-by: James Munnelly <james@munnelly.eu>
@munnerz
Only assert that the not ready condition is set in acme failure case …
5a10008 
…test

Signed-off-by: James Munnelly <james@munnelly.eu>
@jetstack-bot jetstack-bot added the area/testing Issues relating to testing label Feb 25, 2019
@munnerz munnerz mentioned this pull request Feb 25, 2019
Merged
@jetstack-bot jetstack-bot added the area/ca Indicates a PR directly modifies the CA Issuer code label Feb 25, 2019
@munnerz
Use a one-use CA to sign temporary certificates
dfabece 
Signed-off-by: James Munnelly <james@munnelly.eu>
@munnerz munnerz changed the title WIP: Generate temporary self signed certificate to appease ingress-gce Generate temporary self signed certificate to appease ingress-gce Feb 27, 2019
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 27, 2019
@munnerz munnerz assigned DanielMorsing and unassigned munnerz Feb 27, 2019
@munnerz munnerz changed the title Generate temporary self signed certificate to appease ingress-gce Generate temporary certificate to appease ingress-gce Feb 28, 2019
@DanielMorsing
Copy link
Contributor

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2019
@DanielMorsing
Copy link
Contributor

/retest

1 similar comment
@munnerz
Copy link
Member Author

munnerz commented Feb 28, 2019

/retest

@retest-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to jetstack).
Review the full test history for this PR.
Silence the bot with an /lgtm cancel comment for consistent failures.

1 similar comment
@retest-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to jetstack).
Review the full test history for this PR.
Silence the bot with an /lgtm cancel comment for consistent failures.

@jetstack-bot jetstack-bot merged commit 334477e into cert-manager:master Feb 28, 2019
v0.7 automation moved this from In progress to Done Feb 28, 2019
@hmeerlo hmeerlo mentioned this pull request Mar 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanielMorsing DanielMorsing DanielMorsing left review comments

@kragniz kragniz Awaiting requested review from kragniz

Assignees

@DanielMorsing DanielMorsing

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ca Indicates a PR directly modifies the CA Issuer code area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
No open projects
v0.7
  
Done
Milestone
v0.7
Development

Successfully merging this pull request may close these issues.

ingress-gce: ACME certificates fail to issue for the first time
4 participants
@munnerz @jetstack-bot @DanielMorsing @retest-bot