Skip to content

Feature/custom certs #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Nov 21, 2024
Merged

Feature/custom certs #130

merged 22 commits into from
Nov 21, 2024

Conversation

rustyjux
Copy link
Contributor

@rustyjux rustyjux commented Nov 18, 2024
edited
Loading

Description

Fixes:

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Documentation (non-breaking change with enhancements to documentation)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I have checked that unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@rustyjux
Copy link
Contributor Author

Currently deployed in dev (Silver, Gold/DR) at 5ba7708

Can see example route in Gold - https://console.apps.gold.devops.gov.bc.ca/k8s/ns/b8840c-dev/routes/wild-ns-gw-41c0c-webapps.gov.bc.ca from:

# contains .api.gov.bc.ca certificate which is also valid for webapps.gov.bc.ca
certificates:
  - cert: "NORMAL_DATA_API_CERT"
    key: "NORMAL_DATA_API_KEY"
    tags: [ns.gw-41c0c]
    id: 73600400-dc9b-45be-9518-47cb0e6b203e
    snis:
      - name: webapps.gov.bc.ca
        id: 79009c9e-0f4d-40b5-9707-bf2fe9f50502
        tags: [ns.gw-41c0c]
services:
  - name: that-custom-one
    host: httpbin.org
    tags: [ns.gw-41c0c]
    port: 443
    protocol: https
    routes:
      - name: test-aps-webapps
        tags: [ns.gw-41c0c, random]
        hosts:
          - webapps.gov.bc.ca
  - name: another-non-custom-one
    host: httpbin.org
    tags: [ns.gw-41c0c]
    port: 443
    protocol: https
    routes:
      - name: that-non-custom-one
        tags: [ns.gw-41c0c]
        hosts:
          - new.api.gov.bc.ca

@rustyjux rustyjux marked this pull request as ready for review November 18, 2024 19:40
ikethecoder
ikethecoder requested changes Nov 19, 2024
View reviewed changes
microservices/gatewayJobScheduler/app.py
break

for host in route_obj['hosts']:
# Look for a matching certificate by SNI for custom domains
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this new block of logic be moved to a separate function that returns cert and cert_id? Also, not sure if the Kong id is a sufficient identifier for determining there is a changed cert, because a user can update the cert.cert and cert.key while keeping the kong id the same. You could hash the cert.cert and use that, or inspect the cert itself to get the serial number. Alternatively, don't bother passing the sslCertificateId and let kube api dig out the serial number for comparison.

microservices/kubeApi/clients/ocp_routes.py Outdated
custom_cert_label= ''
custom_cert_found = False

if is_host_custom_domain(host):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than duplicating the is_host_custom_domain function, I would just skip it, and assume that if the certificates is passed, then it is only including custom certs.. so just need to move the logger.debug line under the if certificates. You can then delete the is_host_custom_domain for kube.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe it's necessary to keep is_host_custom_domain - otherwise how to have kube raise an exception when a custom domain is used but no certs are provided?

e.g. this test: https://github.com/bcgov/gwa-api/blob/feature/custom-certs/microservices/kubeApi/tests/clients/test_ocp_routes.py#L161

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kube can still raise an exception - if no cert is found an exception should be thrown

microservices/kubeApi/clients/ocp_routes.py Outdated
logger.debug("[%s] Route A %03d matched ssl cert %s" % (select_tag, index, ssl_ref))
ssl_key = read_and_indent("/ssl/%s.key" % ssl_ref, 8)
ssl_crt = read_and_indent("/ssl/%s.crt" % ssl_ref, 8)
ssl_key = read_and_indent("/ssl/%s.key" % ssl_ref, 8)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if host_transformation is enabled? Where does ssl_key and ssl_crt get set to when custom_cert_found is False?

@rustyjux
Copy link
Contributor Author

@ikethecoder I believe I have address our issues in the last set of commits

@ikethecoder ikethecoder merged commit 74ff810 into dev Nov 21, 2024
7 checks passed
This was referenced Nov 21, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikethecoder ikethecoder ikethecoder approved these changes

@Elson9 Elson9 Awaiting requested review from Elson9

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rustyjux @ikethecoder