tls: fallback to self-signed certificate (#2760)

* tls: fallback to self-signed certificate * remove unknown domain because certs are no longer valid * update multi-deployment to use service-specific certificates
2025-08-04 01:09:36 +02:00 · 2021-11-15 14:11:53 -07:00 · 2021-11-15 14:11:53 -07:00 · ca48052551
commit ca48052551
parent 9b3d574d48
14 changed files with 46 additions and 80 deletions
--- a/integration/clusters/auth0-multi/compose.yml
+++ b/integration/clusters/auth0-multi/compose.yml
--- a/integration/clusters/azure-multi/compose.yml
+++ b/integration/clusters/azure-multi/compose.yml
--- a/integration/clusters/github-multi/compose.yml
+++ b/integration/clusters/github-multi/compose.yml
--- a/integration/clusters/gitlab-multi/compose.yml
+++ b/integration/clusters/gitlab-multi/compose.yml
--- a/integration/clusters/google-multi/compose.yml
+++ b/integration/clusters/google-multi/compose.yml
--- a/integration/clusters/oidc-multi/compose.yml
+++ b/integration/clusters/oidc-multi/compose.yml
--- a/integration/clusters/okta-multi/compose.yml
+++ b/integration/clusters/okta-multi/compose.yml
--- a/integration/clusters/onelogin-multi/compose.yml
+++ b/integration/clusters/onelogin-multi/compose.yml
--- a/integration/clusters/ping-multi/compose.yml
+++ b/integration/clusters/ping-multi/compose.yml
--- a/integration/control_plane_test.go
+++ b/integration/control_plane_test.go
@ -75,7 +75,6 @@ func TestHealth(t *testing.T) {
 		"https://authenticate.localhost.pomerium.io",
 		"https://httpdetails.localhost.pomerium.io",
 		"https://restricted-httpdetails.localhost.pomerium.io",
-		"https://unknown.localhost.pomerium.io",
 	}
 	endpoints := []string{"healthz", "ping"}

--- a/integration/tpl/backends/pomerium.libsonnet
+++ b/integration/tpl/backends/pomerium.libsonnet
@ -102,7 +102,6 @@ local Environment(mode, idp, dns_suffix) =
    DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
    GRPC_ADDRESS: ':5443',
    GRPC_INSECURE: 'false',
-    OVERRIDE_CERTIFICATE_NAME: '*.localhost.pomerium.io',
  } else if mode == 'traefik' then {
    FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
  } else if mode == 'nginx' then {
@ -141,6 +140,8 @@ function(mode, idp, dns_suffix='') {
        image: image,
        environment: environment {
          SERVICES: 'authorize',
+          CERTIFICATE: std.base64(importstr '../files/pomerium-authorize.pem'),
+          CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-authorize-key.pem'),
        },
        ports: [
          '9904:9901/tcp',
@ -161,6 +162,8 @@ function(mode, idp, dns_suffix='') {
        image: image,
        environment: environment {
          SERVICES: 'databroker',
+          CERTIFICATE: std.base64(importstr '../files/pomerium-databroker.pem'),
+          CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-databroker-key.pem'),
        },
        ports: [
          '9902:9901/tcp',