Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kpt.dev should have it's own cert #2037

Open
mikebz opened this issue May 18, 2021 · 0 comments
Open

kpt.dev should have it's own cert #2037

mikebz opened this issue May 18, 2021 · 0 comments
Labels
area/devops enhancement New feature or request triaged Issue has been triaged by adding an `area/` label

Comments

@mikebz
Copy link
Contributor

mikebz commented May 18, 2021

Is your feature request related to a problem? Please describe.

Given the amount of effort that kpt is getting it should have a dedicated certificate. When I examined the certificate on current kpt.dev I saw weegl.app, not sure what weegl.app is I decided to examine it further it seems like kpt.dev is sharing the same cert as many other websites, I doubt any of them are from Google.

 ~ » curl -vvI https://kpt.dev    
*   Trying 151.101.65.195...
* TCP_NODELAY set
* Connected to kpt.dev (151.101.65.195) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=weegl.app
*  start date: Apr 13 03:23:28 2021 GMT
*  expire date: Jul 12 04:23:28 2021 GMT
*  subjectAltName: host "kpt.dev" matched cert's "kpt.dev"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fba32810a00)
> HEAD / HTTP/2
> Host: kpt.dev
> User-Agent: curl/7.64.1
> Accept: */*

Describe the solution you'd like

There are Google managed certificates that can be plugged into the GCP LB. I would consider publishing the website content to a bucket of the GCP project we already have for kpt-dev and establishing an LB there. One of the added benefits is that we have all the permissions for all the team members there as well.

Describe alternatives you've considered

One could also have a LB that points to firebase or get Cloudflare, but I think a lot of those solutions are not as straightforward as just a simple GCS bucket with an LB.

Additional context
@mikebz mikebz added enhancement New feature or request triaged Issue has been triaged by adding an `area/` label labels May 18, 2021
@mikebz mikebz added this to the v1.1 milestone May 18, 2021
@mikebz mikebz removed this from the v1.1 milestone Jul 14, 2021
@etefera etefera removed their assignment Dec 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/devops enhancement New feature or request triaged Issue has been triaged by adding an `area/` label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mortent @mikebz @etefera