Use one secret for TLS certificates #292
Conversation
|
Great PR! Please pay attention to the following items before merging: Files matching
This is an automatically generated QA checklist based on modified files. |
There was a problem hiding this comment.
I think the following tls secrets also need to be updated:
- data dashboard backend
- prometheus-alertmanager
- prometheus-grafana
- prometheus-prometheus
We set new secret names for services on a different sub-domain in helmfile layer. So, we can use the same default secret name in the helm charts.
keyvaann
force-pushed
the
one-secret-for-tls
branch
from
d8c6e1c
to
58048ea
Compare
|
Apparently this shouldn't be done. From:
https://cert-manager.io/docs/usage/ingress/#generate-multiple-certificates-with-multiple-ingresses |
|
@keyvaann My point is that this is not the concern of the helm chart. The helmfile layer knows about the final domain a service runs on and therefore is also responsible for accommodating the requirement in the cert-manager docs i.e. make sure that when it runs on a domain that requires a different tls secret a new secrete name is set in accordance. I will approve; at least we have had this discussion and indeed it will not matter much for running the platform. |
This was changed a year ago in this commit
fb46962
But it turns out that now we have get rate limited by Let's Encrypt when requesting for a separate certificate for each application. This PR fixed this.