-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew LetsEncrypt certificates #641
Renew LetsEncrypt certificates #641
Conversation
4dd4956
to
a6a669e
Compare
a6a669e
to
861b868
Compare
Hey @iulianbarbu, thanks for the PR 😄
Gateway should create a trace event with "got authorization" (a few lines earlier). Iirc, this log will contain some challenge URL that can help with the debugging |
Hey @chesedo ! Thanks for taking a look. On the pebble side, the above log I sent contains this at the end, but haven't checked the corresponding trace events on the gateway side. I'll try again.
|
7af6922
to
5ad20c0
Compare
8b9f484
to
2d81d54
Compare
31e7d4a
to
87afe4f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates @iulianbarbu
03dfb60
to
6bbc4da
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this Iulian, LGTM to me too! I left a few comments but mostly just nice things and a question or two 😄
...and gateway certificates renewal. * added a new `request-gateway-certificate` admin command to renew the gateway certificate on-deman. * added gateway admin APIs for custom domains and gateway certificates renewal. Note: requesting renewal for the gateway certificate requires inserting manually a DNS TXT record to complete the ACME DNS-01 challenge. Signed-off-by: Iulian Barbu <iulianbarbu2@gmail.com>
...and removed Makefile containters additional build args for panamax and postgres. It seems there is a 'PLATFORMS' env variable in the Makefile which can be set before building the images and used by `buildx` to build against the mentioned target platforms. The `PLATFORMS` env variable is not needed on my machine because I use Docker Desktop, which supports running containers built for other arch using behind the scenes a LinuxKit VM that intercepts [1][2] the binaries and runs them using binfmt_misc, through QEMU [1]. [1] https://www.docker.com/blog/the-magic-behind-the-scenes-of-docker-desktop/ [2] https://stackoverflow.com/questions/72444103/what-does-running-the-multiarch-qemu-user-static-does-before-building-a-containe Signed-off-by: Iulian Barbu <iulianbarbu2@gmail.com>
Simplified the functions' signatures to use only the `AccountCredentials`, which are received from the API requests and read as well from the gateway state when needed.
...when needing to request/renew custom-domain and gateway certificates on the local environment.
Strings that are returned by gateway API requests must be wrapped within double quotes to be deserialized with serde_json.
6bbc4da
to
b177ac1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the edits @iulianbarbu. LGTM
...of pem files.
Closes #621 .
Description
This PR adds functionality that enables the periodical renewal of
LetsEncrypt
certificates. These certificates have a validity window of 90 days and is recommended to be renewed 30 days before expiration. The functionality will cover renewal for:"/admin/acme/request/:project_name/:fqdn"
or throughshuttle-admin
CLI.WIP testing
End-to-end manual test of the certificate renewal with all shuttle components deployed locally. I have some issues with the shuttle local deployment that blocks me while testing. I need some more time to understand how to enable shuttle locally, with pebble deployed locally as CA.
Unit testing for the introduced business logic where it makes sense and is possible. Spent lots of time on 1) and I'll need to come back at this.
I welcome any suggestions on steps/guides/docs for how to enable the shuttle components locally to test the certificates renewal.
Documentation
Haven't seen much documentation on how to test the admin functionality related to the certificates requesting, so I hope I'll be able to compile something worth mentioning after finishing this.
Review wise
Besides code review, I am curious at the beginning to understand if this PR covers what's asked from #621 functionality-wise. I would be happy to follow up with adjustments code-wise if there are suggestions for improvement. Also, in parallel, I'll try to come back with information on the testing aspect.