-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check for renewing status #13666
check for renewing status #13666
Conversation
Codecov ReportBase: 86.22% // Head: 86.14% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #13666 +/- ##
==========================================
- Coverage 86.22% 86.14% -0.08%
==========================================
Files 197 197
Lines 14783 14790 +7
==========================================
- Hits 12746 12741 -5
- Misses 1735 1745 +10
- Partials 302 304 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
For visibility, I've been testing this by changing the cmCert spec to add a RenewBefore field. Since I'm using letsencrypt, the default lifetime of a cert is 90 days, and you can't really change it. But you can edit the RenewBefore field to force a renewal. Because of some letsencrypt + certmanager stuff I don't understand, the notBefore time is actually an hour before the cert is created. So if you set it to renew 1hr2mins after it was ready, you can force a renewal every 2 minutes. If you do exactly an hour, it gets kinda stuck in a renewal loop. anway, the cmCert spec then looks something like this:
Unfortunately, this doesn't seem to create the new http01 challenge endpoints. So I can't fully validate if the renewal change actually works. Still trying to understand why that is. UPDATE: I asked around and learned that LetsEncrypt will cache challenge authorizations for 30 days, see here. So even though I can force a renew, no challenge gets created since it is in the cache. UPDATE 2: So, you can clear this cache by deleting the letsencrypt issuer + secret and recreating the issuer, as explained here. I was able to do this, and could see the certificate get renewed, and see that the new HTTP01 Challenges were added to the kcert status. |
0b82832
to
529f7d7
Compare
529f7d7
to
5e7c63b
Compare
* when reconciling routes * adde extra logging around the renewing codepath
5e7c63b
to
014e3be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add a unit test.
Similarly, we might be able to add an e2e test that users our self-signed cluster issuer
logger.Infof("Renewing Condition detected on Cert (%s), will attempt creating new challenges.", cert.Name) | ||
} | ||
} | ||
if cert.IsReady() && !isRenewing { | ||
r.Status.MarkCertificateReady(cert.Name) | ||
tls = append(tls, resources.MakeIngressTLS(cert, dnsNames.List())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going into the else
flow will mark the route not ready - which we don't want since it can still serve traffic.
bf14e2a
to
00fe5dd
Compare
@dprotaso I added the unit test Regarding this though:
I don't know of a way to make a self signed issuer to http01 challenges. The selfsigned issuer definition doesn't have a place to define solvers from what I can tell:
|
00fe5dd
to
5c5f6c2
Compare
5c5f6c2
to
399868d
Compare
49fb83b
to
fc29e3a
Compare
fc29e3a
to
a5e0f22
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leaving the hold in case you want to address the nit - feel free to drop it
/lgtm
/approve
/hold
pkg/reconciler/route/route_test.go
Outdated
// The starting state is a route and ingress is ready with AutoTLS enabled, and | ||
// a kcert that is ready, and has the renewing = true condition. | ||
func TestAutoTLSCertRenewel(t *testing.T) { | ||
ctx, informers, ctl, _, cf := newTestSetupWithConfigMaps(t, autoTLSConfigMaps) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: You might be able to simplify this test by lumping it into the following table test
serving/pkg/reconciler/route/table_test.go
Line 2344 in a5e0f22
func TestReconcileEnableAutoTLS(t *testing.T) { |
Those table tests test a single Reconcile call and will assert create/update etc. occurs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah okay, I'll give that a try
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprotaso, KauzClay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
dd34c06
to
556c2cd
Compare
* it is a little simpler than doing it in route_test.go
556c2cd
to
02a1c3f
Compare
/lgtm |
/test istio-latest-no-mesh |
Fixes # knative-extensions/net-certmanager#416
Related to # knative-extensions/net-certmanager#482
Proposed Changes
Release Note