Skip to content

Add in progress note to internal_certificate_spec #34364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jubrad wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add in progress note to internal_certificate_spec #34364

jubrad wants to merge 1 commit into from
+2 −1

Conversation

@jubrad
Copy link
Contributor

@jubrad jubrad commented Dec 4, 2025

Motivation

Currently we don't validate the cert on the balancer side. It'll still generated an used to encrypt but since there's no validation it's susceptible to MIM.

Tips for reviewer

Checklist

  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

@jubrad jubrad requested review from a team as code owners December 4, 2025 16:15
doy-materialize
doy-materialize reviewed Dec 4, 2025
View reviewed changes
src/cloud-resources/src/crd/materialize.rs Outdated
/// The cert-manager Issuer or ClusterIssuer to use for database internal communication.
/// The `issuerRef` field is required.
/// This currently is only used for environmentd, but will eventually support clusterd.
// Implementation in progress:
Copy link
Contributor

@doy-materialize doy-materialize Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think it makes sense to have the "implementation in progress" notes as a normal (non-doc) comment, but can we also add a big "do not use" warning as a doc comment here as well, so it shows up in our generated docs?

@jubrad jubrad force-pushed the materialize-cert-crd-doc-update branch from e1a3252 to 21777ac Compare December 4, 2025 16:49
doy-materialize
doy-materialize reviewed Dec 4, 2025
View reviewed changes
src/cloud-resources/src/crd/materialize.rs Outdated
/// The cert-manager Issuer or ClusterIssuer to use for database internal communication.
/// The `issuerRef` field is required.
/// This currently is only used for environmentd, but will eventually support clusterd.
/// Implementation in progress:
Copy link
Contributor

@doy-materialize doy-materialize Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think we need in progress notes in our public docs? can we just say "not yet implemented" in the public doc comment like console_external_certificate_spec does, and leave the progress notes as a non-doc comment?

@jubrad jubrad force-pushed the materialize-cert-crd-doc-update branch from 21777ac to 0d45755 Compare December 4, 2025 21:04
@jubrad jubrad enabled auto-merge December 4, 2025 21:37
@jubrad jubrad disabled auto-merge December 4, 2025 21:38
@jubrad jubrad force-pushed the materialize-cert-crd-doc-update branch from 0d45755 to d3bd887 Compare December 4, 2025 21:39
kay-kim
kay-kim reviewed Dec 5, 2025
View reviewed changes
doc/user/data/self_managed/materialize_crd_descriptions.json
"name": "internalCertificateSpec",
"type": "MaterializeCertSpec",
"description": "The cert-manager Issuer or ClusterIssuer to use for database internal communication.\nThe `issuerRef` field is required.\nThis currently is only used for environmentd, but will eventually support clusterd.",
"description": "The cert-manager Issuer or ClusterIssuer to use for database internal communication.\nThe `issuerRef` field is required.\nThis currently is only used for environmentd, but will eventually support clusterd.\nNot yet implemented.",
Copy link
Contributor

@kay-kim kay-kim Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heh ... that "Not yet implemented" -- Is it referring to the clusterd part? Because it's in a standalone sentence ... it makes it sound like the whole thing is not yet implemented. Kind of like, if we had added a Deprecated afterwards ... it'd be more for the whole thing.

Copy link
Contributor

@kay-kim kay-kim Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh ... actually, reading the description... exactly, what is not implemented?

Copy link
Contributor

@doy-materialize doy-materialize Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using internalCertificateSpec will not do what people expect, because the implementation of that feature is only partially complete - customers should not be using it at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kay-kim kay-kim kay-kim left review comments

@doy-materialize doy-materialize doy-materialize approved these changes

@jasonhernandez jasonhernandez Awaiting requested review from jasonhernandez

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jubrad @kay-kim @doy-materialize