fix(azure): add cert-manager annotation for API ingress TLS#1008
Closed
beastawakens wants to merge 1 commit intomasterfrom
Closed
fix(azure): add cert-manager annotation for API ingress TLS#1008beastawakens wants to merge 1 commit intomasterfrom
beastawakens wants to merge 1 commit intomasterfrom
Conversation
The Azure provider was missing the cert-manager.io/cluster-issuer annotation on the API ingress, unlike AWS, GCP, and DO providers. Without this annotation, cert-manager does not provision the api-certificate TLS secret, causing nginx to serve its default ingress.local certificate. This breaks features like 'convox build --external' which requires Docker to authenticate against the API endpoint over TLS.
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the feature/update/fix?
Fix: cert-manager Annotation on Azure API Ingress for TLS
The Azure provider was missing the
cert-manager.io/cluster-issuerannotation on the API ingress, unlike AWS, GCP, and DO providers. Without this annotation, cert-manager did not provision theapi-certificateTLS secret, causing nginx to serve its defaultingress.localcertificate forapi.<domain>.convox.cloud.This fix adds the
cert-manager.io/cluster-issuer = "letsencrypt"annotation to the Azuremodule "k8s"block interraform/api/azure/main.tf, bringing Azure in line with all other providers.Provider coverage:
terraform/api/aws/main.tf)terraform/api/gcp/main.tf)terraform/api/do/main.tf)Without a valid certificate on the API endpoint, any client performing TLS verification against
api.<domain>.convox.cloudwould see an error like:This most visibly broke
convox build --external, which requires Docker to authenticate against the API endpoint over TLS.Why is this important?
The API endpoint is the front door for authenticated Convox operations, and several features depend on it presenting a valid, publicly trusted certificate. On Azure racks that never received this annotation, cert-manager never issued the
api-certificatesecret, so nginx fell back to its built-iningress.localself-signed certificate. Clients that properly validate TLS — including the Docker daemon used byconvox build --external— would reject the connection.Benefits:
convox build --externalworks on Azure. Docker can now authenticate againstapi.<domain>.convox.cloudover a valid TLS connection, unblocking external builds on Azure racks.api-certificatesecret via Let's Encrypt just like AWS, GCP, and DO racks.Workaround for existing racks (no rack update required):
Existing Azure racks can be fixed in place by manually annotating the API ingress:
cert-manager will then automatically provision the
api-certificatesecret via Let's Encrypt within roughly 30 seconds. Updating the rack to3.24.4applies the annotation automatically via Terraform.Does it have a breaking change?
No breaking changes are introduced with this fix.
api-certificatesecret and nginx begins serving it — no manual intervention is required.Requirements
This fix requires version
3.24.4or later for the rack.Update the Rack: Run
convox rack update 3.24.4 -r rackNameto update to this version.Note that your rack must already be on at least version
3.23.0before performing this update.If you're unfamiliar with v3 rack versioning, we recommend reviewing the documentation on Updating a Rack before applying any updates.