fix(certgen): make kubernetes server sans authoritative#2221
Open
TaylorMutch wants to merge 1 commit into
Open
fix(certgen): make kubernetes server sans authoritative#2221TaylorMutch wants to merge 1 commit into
TaylorMutch wants to merge 1 commit into
Conversation
Closes #2096 Use Helm's release-aware SAN list exactly for Kubernetes certificate generation while preserving additive local defaults. Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
2 tasks
|
🌿 Preview your docs: https://nvidia-preview-pr-2221.docs.buildwithfern.com/openshell |
Collaborator
Author
|
CC @akram for awareness since this is related to the issue you opened |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make Kubernetes certificate generation use the complete release- and namespace-aware SAN list supplied by Helm. Preserve the existing additive defaults and certificate refresh behavior for local Docker, Podman, package, and E2E filesystem generation.
Related Issue
Closes #2096
Changes
crates/openshell-bootstrap/src/pki.rs: add an explicit authoritative SAN generation API while retaining additive local defaults.crates/openshell-server/src/certgen.rs: select SAN behavior by Kubernetes versus local output mode, including dry runs, and document the CLI contract.deploy/helm/openshell/values.yaml: remove stale cert-manager DNS defaults already supplied by the release-aware Helm helper while retaining the loopback IP default.deploy/helm/openshell/tests/: cover authoritative certgen arguments and release-aware cert-manager SAN rendering.architecture/gateway.md,docs/kubernetes/setup.mdx, and generated Helm README: document SAN ownership and extra-value behavior.Deviations from Plan
The cert-manager
127.0.0.1IP SAN default remains in values because, unlike the stale DNS entries, it is not supplied by the DNS helper and is required for documented port-forward hostname verification. No other deviations.Testing
mise run pre-commitpassesmise run testpassese2e/changed)Tests added:
Checklist
Documentation updated:
architecture/gateway.md: Kubernetes authoritative versus filesystem additive PKI invariant.docs/kubernetes/setup.mdx: Helm SAN values append release-aware defaults.deploy/helm/openshell/README.md: regenerated chart values documentation.