-
Notifications
You must be signed in to change notification settings - Fork 680
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gateway-provisoner: customize the cert's lifetime #6604
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: gang.liu <[email protected]>
Signed-off-by: gang.liu <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6604 +/- ##
=======================================
Coverage 81.76% 81.77%
=======================================
Files 133 133
Lines 15944 15947 +3
=======================================
+ Hits 13037 13040 +3
Misses 2614 2614
Partials 293 293
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, few comments inline.
Signed-off-by: gang.liu <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested the change and it worked great, both contourcert and envoycert were getting the configured expiry period.
I still added some more suggestion to rephrase the documentation, since I thought there might be a chance of misunderstanding what certificates are being discussed, especially for those who do not use Gateway API.
Looking at the existing docs, it seems to me we might have a gap describing the auto-generated xDS certificates in context of Gateway API and how to life-cycle manage them. Being able to set expiry via certLifetime
is good but it should preferably be clearly documented that the gateway provisioner has no capability to renew every certLifetime
days - we could create a new issue for that.
Signed-off-by: gang.liu <[email protected]>
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
ping @tsaarni |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @izturn, looks good to me!
I wonder if others want to still to comment, especially those who are actively using Gateway API in their production (unlike me)?
@skriss @sunjayBhatia , WDYT? |
An additional thought occurred to me regarding the API changes. I'm speculating here, but imagine that in the future, the gateway-provisioner might support Cert-manager instead of certgen. It could create Cert-manager CRs for Contour and Envoy, allowing Cert-manager to handle certificate management. With that in mind, are we introducing anything in this PR that could make it harder to add support for Cert-manager in the API later on?
It might be easier to support future attributes if we group certificate-related fields into a struct, rather than adding them all flat under More specifically, XDS certificates aren't purely a Contour setting since they also impact Envoy. I understand that the current field naming under Similar to certgen, Cert-manager allows configuring certificate lifetimes via the |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
Signed-off-by: Gang Liu [email protected]
In the past, we could only use 'Certgen' to set the lifetime, this PR has added the new way to set it through
provisioner