Skip to content

wildcard cert cleanup #3966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ardiea wants to merge 1 commit into
base: main
Choose a base branch
from
Open

wildcard cert cleanup #3966

Ardiea wants to merge 1 commit into from

Conversation

@Ardiea
Copy link
Member

@Ardiea Ardiea commented Dec 15, 2025

Description (What does it do?)

Removed the odl.mit.edu and ol.mit.edu certificates from the cluster.

@Ardiea Ardiea requested a review from Copilot December 15, 2025 17:04
Copilot AI reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the wildcard certificate infrastructure for odl.mit.edu and ol.mit.edu domains from the EKS cluster, including Vault policies, authentication backend roles, and Kubernetes secret resources. The changes also remove the now-unused export import from Pulumi.

Key Changes:

  • Removed Vault policy and auth backend role for traefik-gateway
  • Removed OLVaultK8SResources configuration for the operations namespace
  • Removed static secret configurations for both odl-wildcard-cert and ol-wildcard-cert
  • Removed export from Pulumi imports
Comments suppressed due to low confidence (1)

src/ol_infrastructure/substructure/aws/eks/main.py:156

  • The removal of the ol-wildcard-cert secret from the operations namespace will break multiple applications that depend on it. The following applications reference this secret:
  1. learn_ai/__main__.py (line 1189) - Uses ol-wildcard-cert from the operations namespace for HTTPS TLS configuration
  2. unified_ecommerce/__main__.py (line 1077) - Uses ol-wildcard-cert from the operations namespace for HTTPS TLS configuration

These applications expect the certificate to be available in the operations namespace and will fail when trying to reference it. Before removing these resources, you need to either:

  • Update the dependent applications to use alternative certificate sources (e.g., cert-manager generated certificates)
  • Ensure the applications are migrated to not rely on this shared wildcard certificate
############################################################
# Secondary resources for cert-manager
############################################################

# ClusterIssuer resources to provide a shared, preconfigured method
# for requesting certificates from letsencrypt
cert_manager_clusterissuer_resources = kubernetes.yaml.v2.ConfigGroup(
    f"{cluster_name}-cert-manager-clusterissuer-resources",
    skip_await=True,
    objs=[
        {
            "apiVersion": "cert-manager.io/v1",
            "kind": "ClusterIssuer",
            "metadata": {
                "name": "letsencrypt-staging",
                "labels": k8s_global_labels,
            },
            "spec": {
                "acme": {
                    "email": "[email protected]",
                    "server": "https://acme-staging-v02.api.letsencrypt.org/directory",
                    "disableAccountKeyGeneration": False,
                    "privateKeySecretRef": {
                        "name": "letsencrypt-staging-private-key",
                    },
                    "solvers": [
                        {
                            "selector": {
                                "dnsZones": cluster_stack.require_output(
                                    "allowed_dns_zones"
                                ),
                            },
                            "dns01": {
                                "route53": {},
                            },
                        },
                    ],
                },
            },
        },
        {
            "apiVersion": "cert-manager.io/v1",
            "kind": "ClusterIssuer",
            "metadata": {
                "name": "letsencrypt-production",
                "labels": k8s_global_labels,
            },
            "spec": {
                "acme": {
                    "email": "[email protected]",
                    "server": "https://acme-v02.api.letsencrypt.org/directory",
                    "disableAccountKeyGeneration": False,
                    "privateKeySecretRef": {
                        "name": "letsencrypt-production-private-key",
                    },
                    "solvers": [
                        {
                            "selector": {
                                "dnsZones": cluster_stack.require_output(
                                    "allowed_dns_zones"
                                ),
                            },
                            "dns01": {
                                "route53": {},
                            },
                        },
                    ],
                },
            },
        },
    ],
    opts=ResourceOptions(
        provider=k8s_provider,
        delete_before_replace=True,
    ),
)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@blarghmatey
Copy link
Member

blarghmatey commented Jan 5, 2026

Can we merge this now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@blarghmatey blarghmatey blarghmatey approved these changes

Assignees

No one assigned

Labels

do not merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ardiea @blarghmatey