Generate certificates with easy-rsa

[NickCao]

Summary by CodeRabbit

• New Features

  • Expanded testing and deployment workflows now run concurrently across multiple operating systems, which enhances overall system reliability and performance.

• Refactor

  • Streamlined secure communications by refining TLS certificate handling and endpoint configuration, ensuring a more robust and consistent connection experience for users.

[coderabbitai]

Walkthrough

This pull request updates multiple aspects of the project. In the CI workflows, it introduces a matrix strategy for both end-to-end tests and deployment jobs, allowing parallel runs on two Ubuntu OS variants. The certificate logic throughout the code is simplified by replacing dynamic self-signed generation with static loading from a mounted volume, and helm chart templates are modified to centralize endpoint configuration and enhance TLS support. Additional changes in the secrets job update the image, command structure, and TTL settings, while several helper functions for certificate creation are removed.

Changes

File(s)	Change Summary
.github/workflows/e2e.yaml .github/workflows/pr-kind.yaml	Updated CI workflows: Added matrix strategy for e2e-tests and a new deploy-kind-matrix job running on ubuntu-24.04 & ubuntu-24.04-arm; modified deploy-kind job logic.
cmd/main.go	Replaced call to NewSelfSignedCertificate with NewSelfSignedLocalhostCertificate to simplify certificate generation for the OIDC provider.
deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/_endpoints.tpl	Updated template functions for controller and router endpoints, introducing new checks and appending ports based on provided values.
deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/controller-deployment.yaml	Added a TLS volume and corresponding volume mount; updated environment variables to use the new endpoint template functions.
deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml	Modified the secrets Job by adding a TTL, updating the container image, and expanding certificate generation and secret creation steps using EasyRSA with kubectl.
internal/service/{controller_service.go, router_service.go, endpoints.go}	Modified internal services: Replaced dynamic self-signed certificate generation with static certificate loading and removed obsolete endpoint processing functions.
internal/service/selfsigned.go	Removed NewSelfSignedCertificate and introduced LoadCertificate and NewSelfSignedLocalhostCertificate functions to streamline certificate handling for localhost.

Sequence Diagram(s)

sequenceDiagram
    participant Matrix as deploy-kind-matrix Job
    participant CI as GitHub Actions
    participant Deploy as deploy-kind Job

    Matrix->>CI: Run on ubuntu-24.04 and ubuntu-24.04-arm concurrently
    CI->>Deploy: Signal matrix job completion with status
    Deploy->>CI: Execute steps and exit if any status indicates failure

Loading

sequenceDiagram
    participant Service as Controller/Router Service
    participant FS as File System (/etc/jumpstarter/tls)

    Service->>FS: Call LoadCertificate()
    FS-->>Service: Return TLS certificate (or error if loading fails)

Loading

Possibly related PRs

• Fix e2e test #78 – Updates to the testing workflow using a matrix strategy in .github/workflows/e2e.yaml relate closely to the changes in this PR.

Suggested reviewers

• mangelajo

Poem

I'm a bunny with a hop so light,
CI flows and TLS shine so bright,
With matrix jobs I play and run,
Certificates loaded, the work is done,
Leaping through code, day and night! 🐰✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/e2e.yaml (1)

10-15: Matrix Strategy Setup and Runner Label Caution
The matrix strategy is correctly implemented for the end-to-end tests, which will now run on both ubuntu-24.04 and ubuntu-24.04-arm. However, please verify that the runner label "ubuntu-24.04-arm" is valid in your environment. According to common runner labels, this value may be unrecognized unless it is a custom label configured via the actionlint.yaml file.

🧰 Tools

🪛 actionlint (1.7.4)

14-14: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/pr-kind.yaml (1)

8-14: Deploy-Kind-Matrix Job and Runner Label Warning
The introduction of the deploy-kind-matrix job with a matrix strategy is well implemented, enabling parallel deployment tests on different OS configurations. However, similar to the e2e workflow, the use of "ubuntu-24.04-arm" as a runner label could trigger issues if it is not recognized by GitHub’s standard labels. If this is intended as a custom label for self-hosted runners, ensure that your configuration in actionlint.yaml is updated accordingly.

🧰 Tools

🪛 actionlint (1.7.4)

13-13: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml (1)

19-19: Consider using a specific version tag instead of 'latest'

Using the latest tag for production deployments can lead to unexpected behavior when the image is updated, as it makes builds non-deterministic and less reproducible.

-          image: quay.io/jumpstarter-dev/jumpstarter-utils:latest
+          image: quay.io/jumpstarter-dev/jumpstarter-utils:<specific-version>

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0148777 and bd8d3b6.

📒 Files selected for processing (10)

• .github/workflows/e2e.yaml (1 hunks)
• .github/workflows/pr-kind.yaml (1 hunks)
• cmd/main.go (1 hunks)
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/_endpoints.tpl (1 hunks)
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/controller-deployment.yaml (2 hunks)
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml (1 hunks)
• internal/service/controller_service.go (1 hunks)
• internal/service/endpoints.go (0 hunks)
• internal/service/router_service.go (1 hunks)
• internal/service/selfsigned.go (1 hunks)

💤 Files with no reviewable changes (1)

• internal/service/endpoints.go

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/e2e.yaml

14-14: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/pr-kind.yaml

13-13: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: deploy-kind-matrix (ubuntu-24.04-arm)
• GitHub Check: e2e-tests (ubuntu-24.04-arm)

🔇 Additional comments (12)

.github/workflows/e2e.yaml (1)

17-21: Job Steps and Action Usage Reviewed
The subsequent steps that invoke jumpstarter-dev/jumpstarter-e2e@main with appropriate inputs are correctly configured. No issues detected in these lines.

.github/workflows/pr-kind.yaml (1)

22-35: Deploy-Kind Job: Conditional Failure Trigger
The deploy-kind job that depends on deploy-kind-matrix is structured to always run and then conditionally exit with a failure if any matrix job returns "failure", "cancelled", or "skipped". This conditional handling is an effective way to catch and signal issues in the deployment matrix. Ensure that the exit behavior (using exit 1) is consistent with your downstream failure handling processes.

cmd/main.go (1)

137-137: Improved certificate handling for the internal OIDC provider

The change to use NewSelfSignedLocalhostCertificate() instead of the more generic function streamlines the certificate generation process by using appropriate defaults for localhost, which is suitable for an internal OIDC provider.

internal/service/controller_service.go (1)

702-702: Excellent architectural improvement for certificate management

Loading certificates from a mounted secret rather than generating them dynamically is a significant improvement that:

1. Decouples certificate management from application code
2. Enables easier certificate rotation
3. Allows for properly managed certificates rather than self-signed ones
4. Simplifies the codebase by removing complex logic for certificate generation

This change brings the application more in line with Kubernetes best practices for managing sensitive data.

internal/service/router_service.go (1)

115-115: Consistent certificate management approach across services

This change follows the same pattern implemented in the controller service, loading certificates from a mounted secret rather than generating them dynamically. The consistent approach across services simplifies operational management and provides the same benefits of decoupled certificate management, easier rotation, and code simplification.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/controller-deployment.yaml (2)

51-54: Well-implemented TLS certificate mounting

The addition of a TLS secret volume and its corresponding mount path provides the necessary infrastructure for the refactored certificate loading approach. Setting the mount as read-only is a good security practice for sensitive certificate data. This change coordinates perfectly with the code modifications in both service files.

Also applies to: 79-82

---

62-64: Improved endpoint configuration

Replacing inline endpoint configuration with template functions centralizes this logic and makes it more maintainable. This change helps ensure consistent endpoint configuration across the deployment.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/_endpoints.tpl (1)

1-2: Well-structured endpoint templating with proper fallbacks

These template definitions provide a clear hierarchy of configuration sources with appropriate fallbacks. The approach centralizes endpoint logic and offers flexibility through multiple configuration options while providing clear error messaging when required values are missing.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml (2)

15-15: Good addition of TTL for job cleanup

Setting ttlSecondsAfterFinished: 600 ensures the job will be automatically cleaned up 10 minutes after completion, preventing accumulation of completed jobs in the cluster.

---

25-47: Improved certificate generation with EasyRSA

The certificate generation approach using EasyRSA is more robust and standardized than a custom implementation. Good practices include:

• Extracting hostnames dynamically from template endpoints
• Properly configuring Subject Alternative Names for both hostnames
• Creating separate secrets for CA and server certificates
• Checking if secrets already exist to avoid unnecessary updates

internal/service/selfsigned.go (2)

15-29: Good separation of concerns for certificate handling

The LoadCertificate function follows the single responsibility principle by focusing solely on loading certificates from files. This approach allows certificates to be managed externally (via EasyRSA in the secrets job) rather than generating them dynamically in the application code.

---

31-40: Simplified localhost certificate generation

The function has been appropriately simplified to focus solely on localhost development scenarios with hardcoded values, making its purpose clearer.