Skip to content

fix(certgen): make kubernetes server sans authoritative#2221

Open
TaylorMutch wants to merge 1 commit into
mainfrom
fix/2096-authoritative-server-sans/TaylorMutch
Open

fix(certgen): make kubernetes server sans authoritative#2221
TaylorMutch wants to merge 1 commit into
mainfrom
fix/2096-authoritative-server-sans/TaylorMutch

Conversation

@TaylorMutch

Copy link
Copy Markdown
Collaborator

🏗️ build-from-issue-agent

Summary

Make Kubernetes certificate generation use the complete release- and namespace-aware SAN list supplied by Helm. Preserve the existing additive defaults and certificate refresh behavior for local Docker, Podman, package, and E2E filesystem generation.

Related Issue

Closes #2096

Changes

  • crates/openshell-bootstrap/src/pki.rs: add an explicit authoritative SAN generation API while retaining additive local defaults.
  • crates/openshell-server/src/certgen.rs: select SAN behavior by Kubernetes versus local output mode, including dry runs, and document the CLI contract.
  • deploy/helm/openshell/values.yaml: remove stale cert-manager DNS defaults already supplied by the release-aware Helm helper while retaining the loopback IP default.
  • deploy/helm/openshell/tests/: cover authoritative certgen arguments and release-aware cert-manager SAN rendering.
  • architecture/gateway.md, docs/kubernetes/setup.mdx, and generated Helm README: document SAN ownership and extra-value behavior.

Deviations from Plan

The cert-manager 127.0.0.1 IP SAN default remains in values because, unlike the stale DNS entries, it is not supplied by the DNS helper and is required for documented port-forward hostname verification. No other deviations.

Testing

  • mise run pre-commit passes
  • mise run test passes
  • Unit tests added/updated
  • Helm integration tests added/updated
  • E2E tests not required (no files under e2e/ changed)

Tests added:

  • Unit: bootstrap additive/authoritative SAN construction and certgen Kubernetes/local mode selection.
  • Integration: 64 Helm unit tests, including new release/namespace SAN and configured-extra coverage.
  • E2E: N/A — no E2E files changed; certificate contents and Helm handoff are covered deterministically.

Checklist

  • Follows Conventional Commits
  • Commit is signed off (DCO)

Documentation updated:

  • architecture/gateway.md: Kubernetes authoritative versus filesystem additive PKI invariant.
  • docs/kubernetes/setup.mdx: Helm SAN values append release-aware defaults.
  • deploy/helm/openshell/README.md: regenerated chart values documentation.

Closes #2096

Use Helm's release-aware SAN list exactly for Kubernetes certificate generation while preserving additive local defaults.

Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
@github-actions

Copy link
Copy Markdown

@TaylorMutch

Copy link
Copy Markdown
Collaborator Author

CC @akram for awareness since this is related to the issue you opened

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(certgen): use POD_NAMESPACE for default server SANs instead of hardcoded namespace

1 participant