-
Notifications
You must be signed in to change notification settings - Fork 6
enable SSL for the SDK pod #285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable SSL for the SDK pod #285
Conversation
…ble-ssl-for-replicated-sdk-pod
docker push ttl.sh/${USER}/replicated-sdk:24h | ||
|
||
make -C chart build-ttl.sh | ||
dagger call test-chart --progress=plain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the files this used to use were deleted with the move to dagger
} | ||
|
||
// loadTLSConfig loads TLS certificate and key from a Kubernetes secret | ||
func loadTLSConfig(clientset kubernetes.Interface, namespace, secretName string) (*tls.Config, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we do some certificate validation here? At least check the expiry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly I don't think so? Is it better to fallback to non-tls, or is it better to just keep serving the provided certificate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think im with @laverya on this one, I wouldn't be opposed to trying to emit debug lines if the cert was expired or something along those lines - but generally expect services to still start when the cert is expired/self-signed/etc i think.
What does this PR do?
This adds SSL support for the pod, and adds a bunch of dagger logging + has the dagger test upgrade the chart to use SSL after initial installation + check that the pod is actually serving traffic via ssl
Does this PR introduce a user-facing change?