runtime
runtime copied to clipboard
acorn-io
Automatic TLS Certificates for on-acorn domains
Ref #205
To-Do
- [x] Renew if expired
- [x] Set as default for Acorn Managed Ingress
- [x] Get Let's Encrypt details from user input
- [x] Re-Generate if Let's Encrypt settings changed (environment or email)
Still hitting some issue that needs fixing:
acorn-controller-5d889f4d64-k8xc5 acorn-controller time="2022-09-14T18:50:00Z" level=error msg="error syncing 'acorn-system/acorn-config': handler acorn /v1, Kind=ConfigMap: problem generating wildcard certificate: error: one or more domains had a problem:\n[*.o84oxs.staging.on-acorn.io] [*.o84oxs.staging.on-acorn.io] acme: error presenting token: unexpected response status code: 500\n, requeuing"
if user install acorn without --tls-enabled --lets-encrypt --lets-encrypt-email and wanted to enable LE later, should the user just reinstall with the flags? will it require any restart on acorn api or controller ?
Ok, Here is the summary of todos/changes/comments, adapted from what you sent me
- [x] Update host prefix handling according to https://github.com/acorn-io/acorn/pull/693#discussion_r981859831
- [x] When configured to use staging LE, set the email to [email protected]. If the user supplies an email anyway, respect it https://github.com/acorn-io/acorn/pull/693#discussion_r981815386
- [x] Cert loop should not block/error-out DNS config handler. This is currently causing it to spam acorn-dns with new domain requests
- [x] ~Cert Refresh will be handled in a Daemon as well~ Per our slack convo and my comments here, I changed my mind. The current approach is good enough, like you said
- [x] Other PR comments, like changing the visibility of functions/variables in the letsencrypt.go file
- [x] run
make generateandmake gen-docsto get the build passing - [x] Skip the local DNS check for the TXT record and instead just wait 60 seconds per: https://github.com/acorn-io/acorn/pull/693#discussion_r982830198
If you wanted to get the above core functionality done and get the PR merged and then follow up on the below in a separate PR, I'd be fine with that, up to you.
If the user opts-in to product let's encrypt, do the following:
- [x] Prompt the user to agree to the TOS per: https://github.com/acorn-io/acorn/pull/693#pullrequestreview-1122851564
- [x] Add a message in the install output saying "You've enabled automatic TLS certificates with Let's Encrypt. This can take a few minutes to configure"
- [x] Add something to acorn info to say whether or not the certificate has been issued. Can be as simple as
letsEncrypt: production, pending,letsEncrypt: production, provisioned - [ ] The URLs in
acorn psshould start with https. Doing this to all endpoints actually is probably an oversimplification. So, if you can figure out a more elegant solution to do it on a per endpoint basis, great. But I don't want that to hold up shipping this feature this week. All that logic is here: https://github.com/acorn-io/acorn/blob/main/pkg/controller/appdefinition/status.go#L390-L397
That's it. I mentioned in slack that I might pick up some of this work. But I don't think that makes sense. It's all yours. I'd really like to get this merged tomorrow if you can churn through it.
if user install acorn without
--tls-enabled --lets-encrypt --lets-encrypt-emailand wanted to enable LE later, should the user just reinstall with the flags? will it require any restart on acorn api or controller ?
I think this was clarified via Slack already, but no, it won't require restarts as it's hooked up in the config handler and secret changes are propagated transparently. :magic_wand:
Rebased, fixed conflicts and re-generated docs.
~make generate still does not generate the openapi stuff for me, so maybe one of you can look into this?~
Needed to unset GOPATH before running make generate, otherwise the openapi spec would be generated under the GOPATH...