Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace omg.howdoi.website detection and use provided issuer instead #590

Merged
merged 15 commits into from
Jul 14, 2021
Merged

Replace omg.howdoi.website detection and use provided issuer instead #590

merged 15 commits into from
Jul 14, 2021

Conversation

manno
Copy link
Member

@manno manno commented Jul 7, 2021
edited
Loading

  • add arg --tls-issuer to specify the name of the cert manager issuer to use
  • add args to CLI and server to toggle the creation and use of the node
    port workaround for the internal registry
    (--enable-internal-registry-node-port,
    --use-internal-registry-node-port)
  • remove decision on tekton trust, always add certificate to tekton and
    add TODO to remove workaround once we can use the mesh
  • epinio install will use current TRACE_LEVEL for server

No tests were added since we don't have tests for 'production'/letsencrypt installations. Really, we have no tests for installation at all.

fixes #590

@manno manno force-pushed the 564-custom-issuer branch 3 times, most recently from 19bf081 to 4dd6734 Compare July 9, 2021 10:13
@manno manno marked this pull request as ready for review July 9, 2021 11:08
@manno manno changed the title 564 custom issuer Replace omg.howdoi.website detection and use provided issuer instead Jul 9, 2021
@manno manno force-pushed the 564-custom-issuer branch 2 times, most recently from f9d5d5f to 2ccc1d1 Compare July 9, 2021 16:12
@manno
Copy link
Member Author

manno commented Jul 9, 2021

no longer green after rebase on main

jimmykarily
jimmykarily reviewed Jul 12, 2021
View reviewed changes
internal/cli/server.go
viper.BindPFlag("tls-issuer", flags.Lookup("tls-issuer"))
viper.BindEnv("tls-issuer", "TLS_ISSUER")

flags.Bool("use-internal-registry-node-port", true, "(USE_INTERNAL_REGISTRY_NODE_PORT) Use the internal registry via a node port")
Copy link
Contributor

@jimmykarily jimmykarily Jul 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no point in setting this to true if enable-internal-registry-node-port was set to false at installation time right?
It seems to me, the only reason we need this flag is because we have no place to store the value of the enable-internal-registry-node-port flag that was used. Is there a way to detect what value was used? For example, check the registry service to see what type it is?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the user define this for the server? Epinio sets up the server command automatically inside the server deployment, the user doesn't have a way to provide flags. The install command is the one that creates the server command and that one has access to the --enable-internal-registry-node-port flag. Maybe we should use that to define the --use-internal-registry-node-port?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that was the plan. Let me check if I forgot to do this...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah here it is, some awful indirection, but all variable names match the pattern (snake case, kebap case, ...)

https://github.com/epinio/epinio/pull/590/files#diff-892d335f47fd05c8157a81b96c028b3d6c1a88492ca015135d24fe86a1ede046R308-R309

So the client puts this as an env var into the epinio deployment yaml via our ##substitution##. (I feel we should invest in real templates soon;)

I thought 'use' was more approriate for the server flag, but maybe it should be the same name as the client flag 'enable' ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe use should be used in all cases? I mean, they use it in a different way but they both use it somehow. Otoh, I'm still thinking we could get rid of the server flag but inspecting the registry service. It's only used in one place (the staging api) in order to decide what the registry URL should look like.

@jimmykarily
Copy link
Contributor

I verified that I can use another domain and still use self-signed certificates with:

/dist/epinio-linux-amd64 install --skip-default-org --verbosity=1 --system-domain 10.86.4.38.nip.io

@jimmykarily
Copy link
Contributor

Since there is no auto-detection of "production" setup anymore, we need to document the recommended way to deploy in production. That should prominent in the README.md (even if it's just a link to another page).

@jimmykarily
Copy link
Contributor

jimmykarily commented Jul 12, 2021
edited
Loading

I face this issue:

  1. I create a gke cluster and get a kubeconfig to talk to it
  2. I run this command to setup ingress: ./dist/epinio-linux-amd64 install-ingress
  3. I run this command to install Epinio:
TRACE_LEVEL=100 ./dist/epinio-linux-amd64 install --verbosity=1  --enable-internal-registry-node-port=false --tls-issuer letsencrypt-production  --system-domain pr-590.mydomain.org

I get this error:


🕞  Starting app.kubernetes.io/name=epinio-server in epinio .

🕞    Starting pod epinio-server-5cb687c87f-ktqw7 in epinio ...........................
✔️  Registry deployed
2021/07/12 16:32:13 InstallClient/Install "level"=2 "msg"="return"  
...

✔️  Gitea deployed
2021/07/12 16:32:14 InstallClient/Install "level"=2 "msg"="return"  
....................................................................................................................................................

🕞   Applying tekton staging resources .
2021/07/12 16:33:28 InstallClient/Install "level"=2 "msg"="return"  
panic: Deployment tekton failed with error: Applying tekton staging resources failed:
: Failed to get registry CA from tekton-staging namespace: failed to decode certificate
failed find PEM data


goroutine 29 [running]:
github.com/epinio/epinio/internal/cli/clients.(*InstallClient).Install.func1(0xc0007ef620, 0x21012e0, 0xc0000c0000, 0x2117f40, 0xc000276820, 0x21235e0, 0xc0000d4400, 0xc000040e74)
	/home/dimitris/workspace/suse/epinio/internal/cli/clients/install_client.go:148 +0x263
created by github.com/epinio/epinio/internal/cli/clients.(*InstallClient).Install
	/home/dimitris/workspace/suse/epinio/internal/cli/clients/install_client.go:145 +0xe1b

@jimmykarily jimmykarily mentioned this pull request Jul 13, 2021
Closed
Mario Manno added 10 commits July 13, 2021 10:48
Move LocalRegistry out of Gitea package
0ca59b9
Pass cmd.Flags instead of cmd to commands
0ad48be 
removes the unused cmd.Flags from NewInstallClient
Remove unused code from option
551bab9
Add getters for global, needed options
c8785fa
Add createNodePort value to internal registry's helm chart
6e75291
Move workload's cert deletion into server
2126796 
The certificates CRD is deleted via the owner ref
ConfigUpdate always stores the current CA
2db5c91
Use the given tls-issuer for generating certificates
3fcf090 
* add arg `--tls-issuer` to specify the name of the cert manager issuer to use
* add args to CLI and server to toggle the creation and use of the node
  port workaround for the internal registry
  (`--enable-internal-registry-node-port`,
  `--use-internal-registry-node-port`)
* remove decision on tekton trust, always add certificate to tekton and
  add TODO to remove workaround once we can use the mesh
* epinio install will use current TRACE_LEVEL for server
Cert-manager certificates own cert secrets
f290758 
With automatic ownership we get clean up for free
Try to fix flaky test
a216cc8
Mario Manno and others added 4 commits July 13, 2021 14:02
Waiting for epinio-registry-tls to have data
024d0c5 
Previously didn't work, because go-template returned not an empty
string, but "<no value>"

Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
Only mount untrusted CA in tekton
ab814b7 
ACME generated certs from cert-manager don't have a ca.crt key.

* tektoncd/catalog#757

Co-authored-by: Mario Manno <mario.manno@suse.com>
Remove Quarks
7c33bef 
Was not used anymore

Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
Update cli reference docs
8fcac55 
Use a fixed string for users home dir

Co-authored-by: Mario Manno <mario.manno@suse.com>
Handle installation error in tests, introduce wait for cert manager m…
3d48721 
…ethod

and retry on one more case (reverting a previous commit which removed
it)

Signed-off-by: Dimitris Karakasilis <DKarakasilis@suse.com>
Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
@andreas-kupries andreas-kupries mentioned this pull request Jul 14, 2021
Merged
@manno manno merged commit e350a06 into main Jul 14, 2021
@manno manno deleted the 564-custom-issuer branch July 14, 2021 08:06
@andreas-kupries andreas-kupries mentioned this pull request Jul 14, 2021
Merged
@jimmykarily jimmykarily mentioned this pull request Jul 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimmykarily jimmykarily jimmykarily approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@manno @jimmykarily