-
Notifications
You must be signed in to change notification settings - Fork 778
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use cert-manager with Let's Encrypt to enable TLS for gcsweb #182
Conversation
fdb5131
to
0700938
Compare
To bootstrap cert-manager components (per the cert-manager docs): cd cert-manager/
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
kubectl apply -f cert-manager.yaml --validate=false
kubectl apply -f letsencrypt-staging.yaml
kubectl apply -f letsencrypt-prod.yaml Then create the cd gcsweb.k8s.io/
kubectl apply -f certificate.yaml
kubectl apply -f ingress.yaml Subsequent migrations (spartakus, redirector, etc) only need the latter steps (creating a |
0700938
to
23a981a
Compare
23a981a
to
bdbb3c7
Compare
Awesome to see, and this lgtm 😄 One thing to note - we've identified an issue with certificate rotation in the webhook component, which could leave the webhook solving with old certificates when renewal times comes along. More details here: cert-manager/cert-manager#1340 The certificate duration here is configured to be 1y for the serving cert, and 5y for the CA used. Just a heads up to upgrade to v0.7 once that is released some time in the next year, or otherwise {somehow remember} to restart your webhook pod in ~8mths time (we renew 4m before expiry). If you want to keep an eye on the expiry state of your certificates, we also expose expiry time prometheus metrics. You might want to set up prometheus/alertmanager/stackdriver or the like, to automatically alert you if a certificate is nearing expiry 😄 |
bc33908
to
bb51549
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all looks good to me (doing a visual review, I've not actually pulled and deployed these manifests) barring the one comment about ordering when it comes to applying these changes 😄
cert-manager/README.md
Outdated
@@ -0,0 +1,12 @@ | |||
To bootstrap (per the [cert-manager getting started | |||
guide](https://cert-manager.readthedocs.io/en/latest/getting-started/install.html#installing-with-regular-manifests)): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: may want to pin latest
to release-0.6
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
cert-manager/README.md
Outdated
|
||
``` | ||
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account) | ||
kubectl apply -f cert-manager.yaml --validate=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: possibly add a note mentioning that --validate=false
can go away with k8s 1.13+
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -7,6 +7,8 @@ metadata: | |||
annotations: | |||
kubernetes.io/ingress.global-static-ip-name: gcsweb-k8s-io | |||
spec: | |||
tls: | |||
- secretName: gcsweb-k8s-io-tls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to an issue with the way cert-manager obtains certificates from LE (we generate and store a private key before the corresponding certificate has been obtained from Let's Encrypt) (more info: cert-manager/cert-manager#1343) - if you add this field here when no Secret resource already exists, the ingress-gce ingress controller will fail to actually update the GCP API with the load balancer configuration.
Because of this, you must instead create the Certificate resource and obtain the certificate before updating the ingress resource to reference that secret.
We'll be building a workaround into v0.7 which is due in ~1.5wks (most likely, pre-generating a self-signed certificate which can be used in the interim whilst CM is obtaining a publicly trusted certificate).
What this means, is that in order to deploy this the first time, you'll need to apply these changes after creating all the other resources in this PR 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I discovered this, but I appreciate the clarification. I added a note to our README as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've got a fix in progress that will be landing in v0.7 here: cert-manager/cert-manager#1392 😄
bb51549
to
9ff1832
Compare
/approve For followup, I feel like we should have a cert-manager/OWNERS file so this doesn't have to hit root OWNERS |
good point re: |
Taking another look, this all looks 👍 to me (although sods law states ...) I'll add my lgtm, but defer a
I'd be happy to put my name forward to be pinged for reviews etc. on this 😄 |
/lgtm |
added |
I am OK with this, but defer actual review to you folks. I will approve but not remove he hold. At your leisure. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spiffxp, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
this needs one more |
/lgtm |
/hold cancel |
The first commit is basically following the cert-manager setup guide and installing
ClusterIssuers
for the staging and prod Let's Encrypt endpoints.The second commit then uses this setup to obtain a certificate for gcsweb and install it in the new Ingress.
I haven't deployed any of this to the real cluster, but I've tested a version of it on my own deployment and cluster: http://gcsweb.ixdyland.net/gcs/kubernetes-jenkins/
Fixes #38
(and paves the way to using this for spartakus and the k8s.io redirectors)
/assign @thockin @hh
cc @munnerz