-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(oauth2proxy): enable self-signed TLS cert #210
base: main
Are you sure you want to change the base?
Changes from all commits
19dba60
1094244
67ad1f8
9348fdb
08c2449
b22bbd1
18b080d
0ec7500
332d928
45e24cb
80fedeb
0e41a22
cfb739e
1b374ff
823d5d2
9751c56
7629bf9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} | ||
{{- $fullName := include "cryostat.fullname" . }} | ||
{{- $cert := genSelfSignedCert $fullName nil nil 365 }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just a question: This means the certificate expires after a year right? This means the users have to rotate the certificate themselves? Any thoughts about depending on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yea, it'll expire after a year. Users have to rotate it themselves or figure out something else automated. I don't really want to get into adding an external dependency to the Helm chart, since part of the reason for the chart to exist is for users who can't use the Operator, ex. because they don't have full admin control of the cluster or whatever else. If the user needs TLS but can't install the Operator, then this gives them at least something to work with as a starting point, and then they can build whatever other automation they need on top to suit their particular deployment environment. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sounds good! Thanks for explaining! I think a quick note in README about this would be helpful :D |
||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ .Release.Name }}-oauth2proxy-tls | ||
labels: | ||
{{- include "cryostat.labels" $ | nindent 4 }} | ||
type: Opaque | ||
immutable: true | ||
data: | ||
cert: {{ $cert.Cert | b64enc }} | ||
key: {{ $cert.Key | b64enc }} | ||
{{- end -}} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} | ||
{{- $fullName := include "cryostat.fullname" . }} | ||
{{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }} | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ .Release.Name }}-oauth2proxy-reports-tls | ||
labels: | ||
{{- include "cryostat.labels" $ | nindent 4 }} | ||
type: Opaque | ||
immutable: true | ||
data: | ||
cert: {{ $cert.Cert | b64enc }} | ||
key: {{ $cert.Key | b64enc }} | ||
{{- end -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be wrapped in the if block above?