New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS init #410
TLS init #410
Conversation
ad230f8
to
d0dde06
Compare
d0dde06
to
6ba53c4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow! Awesome work, Ashwin! I love that it's now a command and how thorough you were with tests. I had some comments about the code and a bunch of edits. I'm still reviewing and would also like to try it out, but I thought I'll leave the comments I have so far.
Thanks for doing this refactor!
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
- Simplify logic around using kubernetes secret as CA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome work!! Do you think it would be worth adding a test to make sure the CA isn't recreated if it exists?
@ndhanushkodi I was wrong. It does not verify that it used the existing CA cert. Will add that test. Good catch. Follow up: Added |
- Remove redundant assertions.
9af5768
to
57d02b8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, Ashwin! I've left some edits and comments, but they are mostly "cosmetical", non-blocking. I've tried it out too, and it works like magic 🧙♂️ !
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Changes proposed in this PR:
tls-init
that manages creating server tls certificates.The responsibility of the subcommand is as follows:
How I've tested this PR:
ashwinvenkatesh/consul-k8s:tls-init
and also updated the TLS-init job to use the consul-k8s binary with thetls-init
subcommand. I tested initial TLS cert generation, updating the DNS sans and performing a helm upgrade. This issued new certificate that the consul servers would start using after they were restarted. ranopenssl s_client -connect localhost:8501
from within the server pods to validate that they did infact use the new certificated that had updated DNS sansHow I expect reviewers to test this PR:
I will add instructions for how to test the end to end flow on a corresponding helm-PR
Checklist:
Closes hashicorp/consul-helm#512, Makes hashicorp/consul-helm#719 unnecessary