Return tls genSignedCert function back for proxy

Question

Return tls genSignedCert function back for proxy

emelyanovtv opened this issue 2 years ago · comments

In this specific commit was removed pomerium.proxy tls secret generation.

Is it possible return this feature with genSignedCert for proxy back somehow, since I was trying to migrate to a new version of pomerium it's the only one problem that I don't know how to solve. Or there is some workaround or hack how I can fix it?

Thanks in advance.

Travis Groth · Answer 1 · Fri Feb 11 2022 03:18:49 GMT+0800 (China Standard Time)

Hi @emelyanovtv can you explain what your use case is or what problem you're running into?

Our proxy will now generate a self signed cert for routes when there's no certificate found, so the internally generated wildcard isn't needed anymore. If you need a trusted cert for more than just testing, you should probably reach for cert-manager or a cert from a traditional public CA.

Timofei Emelianov · Answer 2 · Fri Feb 11 2022 03:24:24 GMT+0800 (China Standard Time)

Probably I didn't investigate enough. But previous behavior was that proxy deployment was anticipating tls.crt at start from config file(proxy-tls was automatically generated), but after migration it's always failing because those file doesn't exists anymore(file not found).

Travis Groth · Answer 3 · Fri Feb 11 2022 03:50:40 GMT+0800 (China Standard Time)

We'd need more detail to determine what kind of issue you're running into. The proxy should not fail to start on the current chart but you may need to follow upgrade steps if you have an existing install.

For general help, please see getting help, but if you believe you've found a bug, feel free to follow the bug template so we can gather sufficient information.

Timofei Emelianov · Answer 4 · Fri Feb 11 2022 04:20:32 GMT+0800 (China Standard Time)

I was following upgrade plan, that's why I crated this feature request. I will try to look into this more deeply tomorrow.

But generally, after upgrade proxy-tls secret disappeared from my rendered template(final manifest) and proxy deployment rely on it. This is the main issue. And it was released in version 25

Thanks for quick response.

Timofei Emelianov · Answer 5 · Fri Feb 11 2022 17:35:13 GMT+0800 (China Standard Time)

The last silly question: why this variable was created, it's not used anywhere, and how it's related to proxy ?

Travis Groth · Answer 6 · Fri Feb 11 2022 23:19:25 GMT+0800 (China Standard Time)

The last silly question: why this variable was created, it's not used anywhere, and how it's related to proxy ?

I'm not sure. I suspect that was left in by mistake during the development of that refactor. As you point out, I don't see it used anywhere.