Skip to content

enable SSL for the SDK pod #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 49 commits into from
Jun 9, 2025
Merged

enable SSL for the SDK pod #285

merged 49 commits into from
Jun 9, 2025

Conversation

laverya
Copy link
Member

@laverya laverya commented Jun 2, 2025
edited
Loading

What does this PR do?

This adds SSL support for the pod, and adds a bunch of dagger logging + has the dagger test upgrade the chart to use SSL after initial installation + check that the pod is actually serving traffic via ssl

Does this PR introduce a user-facing change?

This adds a `tlsCertSecretName` parameter that when set will cause the SDK to serve traffic using the certificate from the named secret within the namespace.

laverya
laverya commented Jun 6, 2025
View reviewed changes
@laverya laverya marked this pull request as ready for review June 6, 2025 18:16
laverya
laverya commented Jun 6, 2025
View reviewed changes
Makefile
Comment on lines -62 to +61
docker push ttl.sh/${USER}/replicated-sdk:24h

make -C chart build-ttl.sh
dagger call test-chart --progress=plain
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the files this used to use were deleted with the move to dagger

staciegravy
staciegravy reviewed Jun 6, 2025
View reviewed changes
pkg/apiserver/server.go
}

// loadTLSConfig loads TLS certificate and key from a Kubernetes secret
func loadTLSConfig(clientset kubernetes.Interface, namespace, secretName string) (*tls.Config, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do some certificate validation here? At least check the expiry?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly I don't think so? Is it better to fallback to non-tls, or is it better to just keep serving the provided certificate?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think im with @laverya on this one, I wouldn't be opposed to trying to emit debug lines if the cert was expired or something along those lines - but generally expect services to still start when the cert is expired/self-signed/etc i think.

laverya added 24 commits June 6, 2025 16:17
@laverya laverya merged commit cb3d995 into main Jun 9, 2025
2 checks passed
@laverya laverya deleted the laverya/sc-123955/enable-ssl-for-replicated-sdk-pod branch June 9, 2025 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@staciegravy staciegravy staciegravy left review comments

@pandemicsyn pandemicsyn pandemicsyn approved these changes

Assignees
No one assigned
Labels
type::feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@laverya @pandemicsyn @staciegravy