Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: support multiple certificates in coder server and helm#4150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
deansheather merged 4 commits intomainfromdean/multi-tls
Oct 4, 2022

Conversation

deansheather
Copy link
Member

@deansheatherdeansheather commentedSep 22, 2022
edited
Loading

Adds multiple certificate support tocoder server and the Helm chart as it's likely admins will want to be able to use multiple certificates to support the new wildcard access feature.

  • Converts--tls-cert-file and--tls-key-file to be array flags instead of single string flags.
  • Changes the TLS certificate loading logic to support accepting two arrays.
  • Adds new Helm valuecoder.tls.secretNames for loading multiple certificates.
  • Moves the TLS certificate templating logic to_helpers.tpl.
  • Deprecatecoder.tls.secretName in favor ofcoder.tls.secretNames.
  • AddNOTES.txt that informs users if they are using the deprecated value and says hi. :)

TODO:

  • Tests for thecoder server multiple certificate loading functionality.
  • Tests of the Helm chart usinghelm template andhelm install --dry-run to ensure template correctness.
  • Manual tests of the Helm chart in real clusters.

@deansheatherdeansheather marked this pull request as ready for reviewSeptember 29, 2022 08:46
@deansheatherdeansheather requested review fromcoadler andkylecarbs and removed request forkylecarbsSeptember 29, 2022 08:46
cli/server.go Outdated
Comment on lines 1078 to 1098
tlsConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
// If there's only one certificate, return it.
if len(certs) == 1 {
return &certs[0], nil
}

// Expensively check which certificate matches the client hello.
for _, cert := range certs {
cert := cert
if err := hi.SupportsCertificate(&cert); err == nil {
return &cert, nil
}
}

// Return the first certificate if we have one, or return nil so the
// server doesn't fail.
if len(certs) > 0 {
return &certs[0], nil
}
return nil, nil //nolint:nilnil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👍 This allows us to hot reload certs later.

func configureTLS(listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFile, tlsKeyFile, tlsClientCAFile string) (net.Listener, error) {
func loadCertificates(tlsCertFiles, tlsKeyFiles []string) ([]tls.Certificate, error) {
if len(tlsCertFiles) != len(tlsKeyFiles) {
return nil, xerrors.New("--tls-cert-file and --tls-key-file must be used the same amount of times")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
returnnil,xerrors.New("--tls-cert-file and --tls-key-file must beusedthe same amount of times")
returnnil,xerrors.New("the number of--tls-cert-file and --tls-key-file must be the same")

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I personally think the old message is better, what do you think@kylecarbs

dials int64
)
client := codersdk.New(accessURL)
client.HTTPClient = &http.Client{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Could add the certs to the client. But not a big deal as you verify hostname later 🤷

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm going to leave this as-is because we will get better test failure messages if the server somehow returns an unexpected certificate

Copy link
Member

@kylecarbskylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Did you manually test the Helm chart with multiple certificates? Just to confirm that it all works.

All the code looks good to me, and I'm impressed with how thorough the tests are 🥳

@deansheather
Copy link
MemberAuthor

Tested with real helm deployment and found a few bugs in the Helm chart which are now fixed in the latest commit. The coder binary worked flawlessly though.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@EmyrkEmyrkEmyrk approved these changes

@kylecarbskylecarbskylecarbs approved these changes

@coadlercoadlerAwaiting requested review from coadler

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@deansheather@Emyrk@coadler@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp