Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.werft/build: Issue certificates during preparation phase #9076

Merged
merged 3 commits into from
Apr 5, 2022
Merged

.werft/build: Issue certificates during preparation phase #9076

merged 3 commits into from
Apr 5, 2022

Conversation

ArthurSens
Copy link
Contributor

Signed-off-by: ArthurSens arthursens2005@gmail.com

Description

Moves the issuing of certificates to the prepare phase (before the containers' build). The certificate can be issued while build is still running and will be cached in core-dev's certs namespace.

The cached certificate will be copied to the appropriate preview environment after it is ready to use.

Known problems (at the moment)

Certificates for both core-dev and harvester are sharing (and overriding) the same Certificate CR in core-dev. When transitioning from core-dev to harvester (or vice-versa) the preview domain changes and the certificate is not valid anymore.

I'll remove the draft after and finish making each preview type to have their own Certificate resource

Related Issue(s)

Fixes #8998

How to test

Release Notes

NONE

@ArthurSens ArthurSens force-pushed the arthursens/preview-envs-on-harvester-8998 branch from 764f761 to e52e9b2 Compare April 1, 2022 15:54
@ArthurSens
.werft/build: Issue certificates during preparation phase
3486970 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
@ArthurSens ArthurSens force-pushed the arthursens/preview-envs-on-harvester-8998 branch from e52e9b2 to 3486970 Compare April 1, 2022 16:17
@ArthurSens
Copy link
Contributor Author

ArthurSens commented Apr 1, 2022
edited
Loading

Currently struggling to issue certificates due to:

image

ArthurSens
ArthurSens commented Apr 4, 2022
View reviewed changes
.werft/util/certs.ts
for (const sd of params.additionalSubdomains) {
subdomains.push(sd);
}

try {
exec(`echo "Domain: ${params.domain}, Subdomains: ${subdomains}"`, {slice: shellOpts.slice})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
exec(`echo "Domain: ${params.domain}, Subdomains: ${subdomains}"`, {slice: shellOpts.slice})

@meysholdt
Copy link
Member

Currently struggling to issue certificates due to:

It sounds like the GCP service account used by CertManager does not have access to the domain preview.gitpod-dev.com

@ArthurSens
Copy link
Contributor Author

ArthurSens commented Apr 4, 2022
edited by werft-gitpod-dev-com bot
Loading

Currently struggling to issue certificates due to:

It sounds like the GCP service account used by CertManager does not have access to the domain preview.gitpod-dev.com

Thanks Mo, do you know where I can change this configuration? I get kinda lost when navigating through DNS configuration in GCP 😅

@fullmetalrooster
Copy link
Contributor

@ArthurSens The cluster-issuer that manages preview.gitpod-dev.com is letsencrypt-issuer-gitpod-core-dev. The problem is that the cluster-issuer is bound to a GCP-project and the DNS-Zone for preview.gitpod-dev.com is in the project gitpod-core-dev.

@ArthurSens
Copy link
Contributor Author

ArthurSens commented Apr 4, 2022
edited by werft-gitpod-dev-com bot
Loading

@ArthurSens The cluster-issuer that manages preview.gitpod-dev.com is letsencrypt-issuer-gitpod-core-dev. The problem is that the cluster-issuer is bound to a GCP-project and the DNS-Zone for preview.gitpod-dev.com is in the project gitpod-core-dev.

Hmmmm I see... do you see a way to move forward? 🤔

@ArthurSens
werft/prepare: Use different clusterissuer for harvester previews
dea629b 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
@ArthurSens
Workaround for bug introduced upstream
e67ae05 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
@ArthurSens ArthurSens marked this pull request as ready for review April 4, 2022 14:55
@ArthurSens ArthurSens requested a review from a team April 4, 2022 14:55
@ArthurSens
Copy link
Contributor Author

Thanks for all the help, just tested and it worked for both core-dev and harvester previews :)

Ready for a review round

@roboquat roboquat merged commit 16b0d92 into main Apr 5, 2022
@roboquat roboquat deleted the arthursens/preview-envs-on-harvester-8998 branch April 5, 2022 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fullmetalrooster fullmetalrooster fullmetalrooster approved these changes

Assignees
No one assigned
Labels
release-note-none size/L team: devx
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

preview envs on Harvester: request certs on core-dev and copy them into VMs
4 participants
@ArthurSens @meysholdt @fullmetalrooster @roboquat