Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Installer]: internal certificate validation #6820

Closed
2 tasks done
mrsimonemms opened this issue Nov 21, 2021 · 1 comment · Fixed by #6893
Closed
2 tasks done

[Installer]: internal certificate validation #6820

mrsimonemms opened this issue Nov 21, 2021 · 1 comment · Fixed by #6893
Labels
component: install Terraform installation scripts, helm charts, installer images

Comments

@mrsimonemms
Copy link
Contributor

mrsimonemms commented Nov 21, 2021
edited
Loading

One of the biggest changes between the old Helm charts and the new Installer is how the internal certificates are generated. Helm used it's internal CA/Cert generation functions to generate a one-time certificate which had no automated renewal process. The Installer user Cert Manager to create an internal CA and allows certs to be generated from that.

  • check that Cert Manager actually is able to renew certs. Suggest setting to a short time (1 hour) and checking that certs are renewed. Should also include the CA in this - certs in common/ca.go, cluster/certmanager.go, docker-registry/certificate.go, ws-daemon/tlssecret.go and ws-manager/tlssecret.go
  • once renewal is confirmed, establish an appropriate duration for certs. As the cluster is generating them internal, there shouldn't be much resource/financial cost to generating them so 3 months is probably an appropriate duration - this would mirror LetsEncrypt
@mrsimonemms
Copy link
Contributor Author

Thanks to @aledbf for suggesting this approach

@mrsimonemms mrsimonemms added the component: install Terraform installation scripts, helm charts, installer images label Nov 25, 2021
@mrsimonemms mrsimonemms mentioned this issue Nov 25, 2021
Merged
@roboquat roboquat moved this to Done in 🌌 Workspace Team Nov 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: install Terraform installation scripts, helm charts, installer images
Projects
No open projects
🌌 Workspace Team
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[installer]: set all internal certs to 90 days duration gitpod-io/gitpod
1 participant
@mrsimonemms