Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add csr-domain-name config option #381

Merged
merged 7 commits into from
Feb 29, 2024
Merged

feat: add csr-domain-name config option #381

merged 7 commits into from
Feb 29, 2024

Conversation

DnPlas
Copy link
Contributor

@DnPlas DnPlas commented Feb 20, 2024
edited
Loading

feat: enable csr-domain-name config option so istio-pilot can use it on CSRs

The istio-pilot charm already has a mechanism in place to discover the ingress gateway address from the Service, but it is limited to only returning IP addresses, which not all TLS certificate providers accept as a valid cert subject. Having the domain-name config option will allow users to specify the domain name they'd like to use when integrating with TLS certificate operators. This feature expands the support for integrating with TLS certificate providers that cannot issue signed certificates on a CSR that only contains an IP address (like we used to do).
This commit also adds some test coverage to test the recently added code.

Fixes #379

@DnPlas DnPlas force-pushed the KF-5337-domain-name-config branch from 932e70a to ba6278d Compare February 22, 2024 13:02
@DnPlas DnPlas marked this pull request as ready for review February 22, 2024 13:03
@DnPlas DnPlas requested a review from a team as a code owner February 22, 2024 13:03
@DnPlas DnPlas changed the title WIP istio tls improvements feat: enable domain-name config option so istio-pilot can use it on CSRs Feb 22, 2024
@DnPlas
feat: enable domain-name config option so istio-pilot can use it on CSRs
606107c 
Having the domain-name config option will allow users to specify the domain name they'd like
to use when integrating with TLS certificate operators. This feature expands the support for
integrating with TLS certificate providers that cannot issue signed certificates on a CSR that
only contains an IP address (like we used to do).
This commit also adds some test coverage to test the recently added code.

Fixes #379
@DnPlas DnPlas force-pushed the KF-5337-domain-name-config branch from ba6278d to 606107c Compare February 23, 2024 08:40
ca-scribner
ca-scribner reviewed Feb 23, 2024
View reviewed changes
tests/test_bundle.py Outdated Show resolved Hide resolved
orfeas-k
orfeas-k reviewed Feb 23, 2024
View reviewed changes
Copy link
Contributor

@orfeas-k orfeas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @DnPlas. I'm adding what we discussed in Matrix:

  • Have you tested this? Should a reviewer test this too? If yes, how?
  • Do we need to update docs for this and how it's supposed to be used?

In general the changes make sense to me and this is some good work. I have some thoughts on the cert_subject property, but let's see what you think as well.

charms/istio-pilot/src/charm.py Outdated Show resolved Hide resolved
charms/istio-pilot/src/charm.py Outdated Show resolved Hide resolved
@DnPlas
Copy link
Contributor Author

DnPlas commented Feb 23, 2024

I expect the CI to fail until we merge #382

ca-scribner
ca-scribner reviewed Feb 23, 2024
View reviewed changes
Copy link
Contributor

@ca-scribner ca-scribner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few suggestions but mostly lgtm

I'm getting stuck a little trying to review this because there's so many different combinations. I think it would help if the docstrings on ingress_gateway_host and _cert_subject described the possible outcomes

@jnsgruk
Copy link
Member

jnsgruk commented Feb 23, 2024

Can we line up the name of the config option with that of Traefik etc? (I think they use external_hostname or something like that?)

@DnPlas
Copy link
Contributor Author

DnPlas commented Feb 26, 2024
edited
Loading

Can we line up the name of the config option with that of Traefik etc? (I think they use external_hostname or something like that?)

Hey @jnsgruk the reason why I did not want to use the same name as them is because traefik actually uses the external hostname to configure the traefik provider in a more explicit way, while in istio it is done more implicitly (by the LB configuration, for instance). I did not want users to assume this option was the same as we are limiting it to just use it for TLS configuration purposes.

I could see us having a more explicit configuration for the external hostname (the name users will reach on their browsers), but that seems out of scope of this PR. wdyt?

EDIT: or we could not have the option at all and use our "automatic" discovery and keep it implicit in istio. I will explore this option a bit more.

@jnsgruk
Copy link
Member

jnsgruk commented Feb 26, 2024

EDIT: or we could not have the option at all and use our "automatic" discovery and keep it implicit in istio. I will explore this option a bit more.

This sounds like a better plan to me :)

@DnPlas
Copy link
Contributor Author

DnPlas commented Feb 26, 2024

EDIT: or we could not have the option at all and use our "automatic" discovery and keep it implicit in istio. I will explore this option a bit more.

This sounds like a better plan to me :)

Yeah, definitely. Will update the PR shortly.

@DnPlas DnPlas changed the title feat: enable domain-name config option so istio-pilot can use it on CSRs feat: allow istio-pilot to construct the CSR cert_subject from the ingress gateway address Feb 26, 2024
@DnPlas DnPlas changed the title feat: allow istio-pilot to construct the CSR cert_subject from the ingress gateway address feat: add csr-domain-name config option Feb 28, 2024
@DnPlas
Copy link
Contributor Author

DnPlas commented Feb 28, 2024

Thanks @ca-scribner for the review, this is ready for another pass.

ca-scribner
ca-scribner approved these changes Feb 28, 2024
View reviewed changes
Copy link
Contributor

@ca-scribner ca-scribner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

There's CI failures atm which I think are unrelated to this feature, but will block publishing after this merges

@DnPlas DnPlas merged commit 6ad839d into main Feb 29, 2024
17 checks passed
@DnPlas DnPlas deleted the KF-5337-domain-name-config branch February 29, 2024 13:40
DnPlas added a commit that referenced this pull request Mar 1, 2024
@DnPlas
feat: add csr-domain-name config option (#381)
876b27b 
feat: enable csr-domain-name config option so istio-pilot can use it on CSRs

The istio-pilot charm already has a mechanism in place to discover the ingress gateway address from the `Service`, but it is limited to only returning IP addresses, which not all TLS certificate providers accept as a valid cert subject. Having the domain-name config option will allow users to specify the domain name they'd like to use when integrating with TLS certificate operators. This feature expands the support for integrating with TLS certificate providers that cannot issue signed certificates on a CSR that only contains an IP address (like we used to do).
This commit also adds some test coverage to test the recently added code.

Fixes #379
DnPlas added a commit that referenced this pull request Mar 4, 2024
@DnPlas
feat: add csr-domain-name config option (#381)
0ce0a6d 
feat: enable csr-domain-name config option so istio-pilot can use it on CSRs

The istio-pilot charm already has a mechanism in place to discover the ingress gateway address from the `Service`, but it is limited to only returning IP addresses, which not all TLS certificate providers accept as a valid cert subject. Having the domain-name config option will allow users to specify the domain name they'd like to use when integrating with TLS certificate operators. This feature expands the support for integrating with TLS certificate providers that cannot issue signed certificates on a CSR that only contains an IP address (like we used to do).
This commit also adds some test coverage to test the recently added code.

Fixes #379
DnPlas added a commit that referenced this pull request Mar 4, 2024
@DnPlas
Merge pull request #386 from canonical/dnplas-cherry-pick-6ad839d
b5353cc 
feat: add `csr-domain-name` config option  (#381)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orfeas-k orfeas-k orfeas-k left review comments

@kimwnasptd kimwnasptd kimwnasptd left review comments

@ca-scribner ca-scribner ca-scribner approved these changes

Assignees
No one assigned
Labels
Libraries: Out of sync
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Integration with charms for Let's encrypt certificates
5 participants
@DnPlas @jnsgruk @kimwnasptd @orfeas-k @ca-scribner