-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace omg.howdoi.website detection and use provided issuer instead #590
Conversation
19bf081
to
4dd6734
Compare
f9d5d5f
to
2ccc1d1
Compare
no longer green after rebase on main |
viper.BindPFlag("tls-issuer", flags.Lookup("tls-issuer")) | ||
viper.BindEnv("tls-issuer", "TLS_ISSUER") | ||
|
||
flags.Bool("use-internal-registry-node-port", true, "(USE_INTERNAL_REGISTRY_NODE_PORT) Use the internal registry via a node port") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no point in setting this to true if enable-internal-registry-node-port
was set to false
at installation time right?
It seems to me, the only reason we need this flag is because we have no place to store the value of the enable-internal-registry-node-port
flag that was used. Is there a way to detect what value was used? For example, check the registry service to see what type it is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does the user define this for the server? Epinio sets up the server command automatically inside the server deployment, the user doesn't have a way to provide flags. The install command is the one that creates the server command and that one has access to the --enable-internal-registry-node-port
flag. Maybe we should use that to define the --use-internal-registry-node-port
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that was the plan. Let me check if I forgot to do this...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah here it is, some awful indirection, but all variable names match the pattern (snake case, kebap case, ...)
So the client puts this as an env var into the epinio deployment yaml via our ##substitution##. (I feel we should invest in real templates soon;)
I thought 'use' was more approriate for the server flag, but maybe it should be the same name as the client flag 'enable' ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe use
should be used in all cases? I mean, they use it in a different way but they both use it somehow. Otoh, I'm still thinking we could get rid of the server flag but inspecting the registry service. It's only used in one place (the staging api) in order to decide what the registry URL should look like.
I verified that I can use another domain and still use self-signed certificates with:
|
Since there is no auto-detection of "production" setup anymore, we need to document the recommended way to deploy in production. That should prominent in the README.md (even if it's just a link to another page). |
I face this issue:
I get this error:
|
removes the unused cmd.Flags from NewInstallClient
The certificates CRD is deleted via the owner ref
* add arg `--tls-issuer` to specify the name of the cert manager issuer to use * add args to CLI and server to toggle the creation and use of the node port workaround for the internal registry (`--enable-internal-registry-node-port`, `--use-internal-registry-node-port`) * remove decision on tekton trust, always add certificate to tekton and add TODO to remove workaround once we can use the mesh * epinio install will use current TRACE_LEVEL for server
With automatic ownership we get clean up for free
Previously didn't work, because go-template returned not an empty string, but "<no value>" Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
ACME generated certs from cert-manager don't have a ca.crt key. * tektoncd/catalog#757 Co-authored-by: Mario Manno <mario.manno@suse.com>
Was not used anymore Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
Use a fixed string for users home dir Co-authored-by: Mario Manno <mario.manno@suse.com>
…ethod and retry on one more case (reverting a previous commit which removed it) Signed-off-by: Dimitris Karakasilis <DKarakasilis@suse.com> Co-authored-by: Dimitris Karakasilis <DKarakasilis@suse.com>
--tls-issuer
to specify the name of the cert manager issuer to useport workaround for the internal registry
(
--enable-internal-registry-node-port
,--use-internal-registry-node-port
)add TODO to remove workaround once we can use the mesh
No tests were added since we don't have tests for 'production'/letsencrypt installations. Really, we have no tests for installation at all.
fixes #590