Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to using SANs for webhook certificates for Go 1.15 #1899

Closed
3 tasks done
markmandel opened this issue Nov 16, 2020 · 2 comments · Fixed by #2167
Closed
3 tasks done

Migrate to using SANs for webhook certificates for Go 1.15 #1899

markmandel opened this issue Nov 16, 2020 · 2 comments · Fixed by #2167
Labels
help wanted We would love help on these issues. Please come help us! kind/breaking Breaking change kind/cleanup Refactoring code, fixing up documentation, etc kind/feature New features for Agones
Milestone
1.16.0

Comments

@markmandel
Copy link
Member

markmandel commented Nov 16, 2020
edited by roberthbailey
Loading

Context: #1897

Go 1.15 no longer supports Common Name based certs for HTTPS without a specific flag. Common Name is a 20 year old deprecation, and we probably shouldn't be promoting.

There is a backward compatible environment flag, but it will be going away eventually. This flag, for the life of me I could not make it work -- which blocked a migration to latest 1.15.

I tried to write steps to create certs with SANs, but my OpenSSL knowledge is not good enough.

So, as a plan to migrate to Go 1.15:

  1. Update webhook with cert creation instructions to use SANs over Common Name, and ensure it works with current Agones version.
  2. Provide release note announcement on deprecation of Common Name certificates for webhooks.
  3. Migrate build system to Go 1.15 and no longer support SAN based certificates.
@markmandel markmandel added kind/feature New features for Agones help wanted We would love help on these issues. Please come help us! kind/cleanup Refactoring code, fixing up documentation, etc kind/breaking Breaking change labels Nov 16, 2020
@kdima kdima mentioned this issue Nov 25, 2020
Merged
@markmandel
Copy link
Member Author

We could really move to 1.16 at this point!
https://golang.org/doc/go1.16

@markmandel
Copy link
Member Author

markmandel commented Jun 29, 2021
edited
Loading

Worth noting - if you upgrade to 1.16, it's possible the certs we use for validation and mutation webhooks when installing thorugh index.yaml may not container SAN's and may therefore break the install path for install.yaml

helm should be fine, since it generates SAN powered certs.

Example:
https://github.com/googleforgames/agones/blob/main/install/helm/agones/templates/extensions.yaml#L71

This was referenced Jun 30, 2021
Closed
Merged
@roberthbailey roberthbailey added this to the 1.16.0 milestone Jul 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted We would love help on these issues. Please come help us! kind/breaking Breaking change kind/cleanup Refactoring code, fixing up documentation, etc kind/feature New features for Agones
Projects
None yet
Milestone
1.16.0
Development

Successfully merging a pull request may close this issue.

Upgrade/go 1.15
upgrade go to 1.16 and add SAN to all certs
2 participants
@markmandel @roberthbailey