Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

experimental excision of cert-manager #509

Merged
merged 5 commits into from
Nov 14, 2023
Merged

experimental excision of cert-manager #509

merged 5 commits into from
Nov 14, 2023

Conversation

andreas-kupries
Copy link
Contributor

@andreas-kupries andreas-kupries commented Oct 25, 2023
edited
Loading

Ref epinio/epinio#2476
main PR: epinio/epinio#2681

Enable disabling of CM Certificate resources.
Conversely inject Secret resources normally generated by CM.
Plus values.yaml parameters to configure these secrets.

@andreas-kupries
experimental excision of cert-manager
2989743 
enable disabling of CM Certificate resources
conversely inject Secret resources normally generated by CM.
plus values.yaml parameters to configure these secrets
@andreas-kupries andreas-kupries added the area/dependencies Pull requests that update a dependency file label Oct 25, 2023
@andreas-kupries andreas-kupries added this to the v1.11.0 milestone Oct 25, 2023
@andreas-kupries andreas-kupries self-assigned this Oct 25, 2023
@andreas-kupries andreas-kupries mentioned this pull request Oct 25, 2023
Merged
@thehejik
Copy link
Contributor

It seems we have to update also the app chart, this is shown when deploying app:

Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first

@andreas-kupries
Copy link
Contributor Author

It seems we have to update also the app chart, this is shown when deploying app:

Unable to build kubernetes objects from release manifest: resource mapping not found for name: "rsample-tls-sample-tls-3619f120a2c9701f06e3008d5146feb82bd289d2" namespace: "" from "": no matches for kind "Certificate" in version "cert-manager.io/v1" ensure CRDs are installed first

See my notes at epinio/epinio#2476 (comment)
and point 5 in the semi-spec at epinio/epinio#2476 (comment)

@thehejik
Copy link
Contributor

thehejik commented Oct 31, 2023
edited
Loading

See my notes at epinio/epinio#2476 (comment) and point 5 in the semi-spec at epinio/epinio#2476 (comment)

I did a mistake originally and created an annotation instead of a label for epinio.io/routing key. Now the application is deployed and using the existing tls secret for the app ingress created in the same ns as the app.

This is the tls secret I've created in workspace ns according to the doc:

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUd...
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
  labels:
    epinio.io/routing: any-value-allowed
  name: sample-app-tls
  namespace: workspace
type: kubernetes.io/tls

@thehejik
Copy link
Contributor

thehejik commented Oct 31, 2023
edited
Loading

Notes:

  • certificates for epinio, dex and workload apps are served thru public domains and can use wildcard domains (for eg *.1.2.3.4.nip.io) in CN/SAN fields
  • certificates for registry and minio/s3 are inter-cluster "private" domains registry.<ns>.svc.cluster.local and minio.<ns>.svc.cluster.local
  • minio certificate cannot use wildcard domains in CN/SAN for some unknown reason.
  • The TLS keys/CSRs/certs can be created manually according to this doc, just adapt Subj/CN/SAN values accordingly
  • I was using --values values.yaml when installing epinio without CM, keys s3, registry & epinio are needed by epinio to install with default internal registries and internal minio:
certManager:
  enabled: false
  s3:
    ca: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
  registry:
    ca: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
  epinio:
    ca: |
      -----BEGIN CERTIFICATE-----
     ...
      -----END CERTIFICATE-----
    cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----

@thehejik
Copy link
Contributor

thehejik commented Nov 13, 2023
edited
Loading

Test report:

  • Installation with custom certificates via values.yaml and without involving CM - OK
$ cat values.yaml
certManager:
  enabled: false
  s3:
    ca: |
    cert: |
    key: |
  registry:
  ...
  epinio:
  ...

$ helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespace --values ./values.yaml
  • Installation with default/mandatory values - CM has to be installed - OK
helm upgrade --install epinio --namespace epinio chart/epinio --set global.domain=1.2.3.4.nip.io --create-namespace

In both cases I also successfully deployed a sample php app and the route was reachable. I just had to create the "Routing secret" when using custom certificates without CM.

enrichman
enrichman previously approved these changes Nov 13, 2023
View reviewed changes
thehejik
thehejik reviewed Nov 14, 2023
View reviewed changes
chart/epinio/values.yaml Outdated Show resolved Hide resolved
@thehejik thehejik self-requested a review November 14, 2023 09:13
@andreas-kupries andreas-kupries merged commit f47a68d into main Nov 14, 2023
3 checks passed
@andreas-kupries andreas-kupries deleted the e2476-no-cert-manager branch November 14, 2023 10:04
@thehejik thehejik mentioned this pull request Nov 20, 2023
Closed
@thehejik
Copy link
Contributor

Verified in v1.11.0-rc2 on k3s without cert-manager installed including sample app deployment using "routing secret" with certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thehejik thehejik thehejik approved these changes

@enrichman enrichman enrichman left review comments

Assignees

@andreas-kupries andreas-kupries

Labels
area/dependencies Pull requests that update a dependency file
Projects
Epinio planning
Status: Done
Milestone
v1.11.0
Development

Successfully merging this pull request may close these issues.
3 participants
@andreas-kupries @thehejik @enrichman