CertManager support for HostedCE #480
Conversation
| metadata: | ||
| name: osg-hosted-ce-{{ .Values.Instance }}-certificate | ||
| spec: | ||
| secretName: {{ .Values.HostCredentials.HostCertKeySecret }} |
There was a problem hiding this comment.
Any reason we can't be prescriptive here and just turn around and use this in the deployment.yaml?
There was a problem hiding this comment.
I think as long as we don't plan to support creating Let's Encrypt secrets outside of SLATE, I think that's okay. We'll need to possibly redeploy existing HostedCEs to get their certs to line up.
There was a problem hiding this comment.
Can't we just handle the different cases with a bunch of if blocks in the deployment? I think we have 3 mutually exclusive cases here:
- They set
.Values.HostCredentials.CertManager.Enabledthen we create the certmanager secret with a known name and use that in a deployment - They give us their own secret with a host cert/key pair then we assume the operator knows what they're doing and we use that
- They don't provide a secret and the container automatically pulls in a new LE cert
There was a problem hiding this comment.
Indeed.. I am also wondering if we should consider dropping, e.g. having the container pull in a LE cert on its own. Do we really want to maintain this going forward? What do you think about saying "Use CertManager or provide your own IGTF certs" to users outside of River/Tiger ?
There was a problem hiding this comment.
I don't think it really hurts to keep it in as long as we communicate to folks that it's not recommended for prod use
|
Checking in on the status of this work as there are merge conflicts. |
adamhgriffith-uofu
changed the title
This is a WIP for #470. Haven't yet tested but here's what I'm thinking.