Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: certificate issues #289

Closed
wants to merge 1 commit into from
Closed

fix: certificate issues #289

wants to merge 1 commit into from

Conversation

alejandroEsc
Copy link
Contributor

@alejandroEsc alejandroEsc commented Jan 20, 2023
edited
Loading

Here I am fixing a few issues I have found so far that may be causing @JakeSCahill from being able to properly create a certificate with ACME.

Part of #203

@alejandroEsc alejandroEsc self-assigned this Jan 20, 2023
@joejulian
Copy link
Contributor

Also remove commonName https://github.com/redpanda-data/helm-charts/pull/289/files#diff-ec07f07a47aa911db2b476d9fcdd33907646aadab5e83db1e9aa13d36ab671e5R37

@alejandroEsc alejandroEsc marked this pull request as ready for review January 24, 2023 15:16
@JakeSCahill
Copy link
Contributor

JakeSCahill commented Jan 26, 2023
edited
Loading

Thanks @alejandroEsc!

It looks like caEnabled is also ignored.

I'm seeing a root certificate being generated even if I specify tls.cert.redpanda.caEnabled=false.

This is causing a failed Certificate to be generated that is looking for an Issuer called redpanda-redpanda-self-signed-issuer:

Normal  IssuerNotFound      12m   cert-manager-certificaterequests-issuer-selfsigned  Referenced "Issuer" not found: issuer.cert-manager.io "redpanda-redpanda-selfsigned-issuer" not found

redpanda       redpanda-default-cert                     True    redpanda-default-cert                     15m
redpanda       redpanda-default-root-certificate         True    redpanda-default-root-certificate         15m
redpanda       redpanda-redpanda-cert                    True    redpanda-redpanda-cert                    15m
redpanda       redpanda-redpanda-root-certificate        False   redpanda-redpanda-root-certificate        15m

@JakeSCahill
Copy link
Contributor

I'm now able to get TLS working with Let's Encrypt and a custom domain 🎉 thanks @alejandroEsc !

This isn't a blocker, but I still get this disused root Certificate being created: #289 (comment)

@alejandroEsc
Copy link
Contributor Author

redpanda redpanda-default-root-certificate True redpanda-default-root-certificate 15m

What I am seeing is what I was hoping not to see, so we may have to change a few things about certs but when i compute the values file from what you are doing, and even when i use my own values file, i get the following:

...
tls:
  certs:
    default:
      caEnabled: true
    redpanda:
      caEnabled: false
      issuerRef:
        kind: ClusterIssuer
        name: letsencrypt-prod
  enabled: true
tuning: {}
...

This is why the default cert is created. Ill investigate this a bit further.

@joejulian
Copy link
Contributor

This is a breaking change and I think it's still broken if someone uses a different issuer for the admin cert. We need to find a way to test this with different issuers.

@alejandroEsc alejandroEsc force-pushed the ae/cert/issues branch 2 times, most recently from 0f542c6 to 921a441 Compare February 9, 2023 01:21
@alejandroEsc alejandroEsc mentioned this pull request Mar 6, 2023
Closed
@alejandroEsc alejandroEsc mentioned this pull request Mar 8, 2023
Closed
@alejandroEsc
Copy link
Contributor Author

Closing this PR. This will fix the issues we see when trying to use certs meant for external clients internally.

@alejandroEsc alejandroEsc deleted the ae/cert/issues branch April 12, 2023 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joejulian joejulian joejulian left review comments

Assignees

@alejandroEsc alejandroEsc

Labels
chart:redpanda
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alejandroEsc @joejulian @JakeSCahill