Updating amppackage.example.toml documentation. #361
Conversation
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
amppkg.example.toml
Outdated
| @@ -170,3 +188,75 @@ ForwardedRequestHeaders = [] | |||
| # Domain = "www.corp.amppackageexample.com" | |||
| # PathRE = "/world/.*" | |||
| # QueryRE = "" | |||
|
|
|||
| # ACME is a protocol that allows for automatic renewal of certificates. Amp packager uses an ACME library | |||
There was a problem hiding this comment.
s/Amp/AMP/ (ditto lines 229 and 237) and capitalize packager as Packager whenever it follows "AMP" (ditto below)
amppkg.example.toml
Outdated
| @@ -170,3 +188,75 @@ ForwardedRequestHeaders = [] | |||
| # Domain = "www.corp.amppackageexample.com" | |||
| # PathRE = "/world/.*" | |||
| # QueryRE = "" | |||
|
|
|||
| # ACME is a protocol that allows for automatic renewal of certificates. Amp packager uses an ACME library | |||
| # https://github.com/go-acme/lego to handle certificate renewal. | |||
There was a problem hiding this comment.
I would move details about the spec and the Go library to the bottom of this prologue comment. Focus on what it does, how to enable it, and any gotchas.
There was a problem hiding this comment.
Fixed, let me know if the changes are satisfactory.
amppkg.example.toml
Outdated
| @@ -47,6 +47,24 @@ | |||
| # SHA-256). | |||
| CertFile = './pems/cert.pem' | |||
|
|
|||
| # The path to save a new cert retrieved from the CA if the current cert in | |||
| # 'CertFile' above is still valid. | |||
| # This is optional and is needed only if you have 'autorenewcert' # turned on. | |||
There was a problem hiding this comment.
Is this optional? My build complains if it's missing, and it looks like the code checks for it too:
amppackager/packager/certcache/certcache.go
Line 833 in e416691
amppkg.example.toml
Outdated
| # https://www.digicert.com/csr-creation.htm?rid=011592 | ||
| # https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/ | ||
| # https://geekflare.com/san-ssl-certificate/ | ||
| # This is optional and is needed only if you have 'autorenewcert' # turned on. |
amppkg.example.toml
Outdated
| @@ -47,6 +47,24 @@ | |||
| # SHA-256). | |||
| CertFile = './pems/cert.pem' | |||
|
|
|||
| # The path to save a new cert retrieved from the CA if the current cert in | |||
| # 'CertFile' above is still valid. | |||
| # This is optional and is needed only if you have 'autorenewcert' # turned on. | |||
There was a problem hiding this comment.
Clarify in the docs: For multi-replica setups, does this need to be set on the non-autorenewcert replicas?
amppkg.example.toml
Outdated
| # https://go-acme.github.io/lego/dns/ | ||
| # DnsProvider = "gcloud" | ||
| # [ACMEConfig.Development] | ||
| # This config will ne used if 'autorenewcert' is turned on and 'development' is turned on. |
There was a problem hiding this comment.
What happens if -autorenewcert -development is turned on, but no [ACMEConfig.Development] is specified here? The above text says this is okay, but ISTR amppkg will refuse to start in this case.
There was a problem hiding this comment.
The text just says this config will be used if those flags are on. I added more verbage that says if the flags are on and the config is missing, AMP Packager will fail to start.
| # in 'CertFile' and 'NewCertFile' are located on a shared filesystem accessible by all AMP packager instances. | ||
| # [ACMEConfig] | ||
| # [ACMEConfig.Production] | ||
| # This config will be used if 'autorenewcert' is turned on and 'development' is turned off. |
There was a problem hiding this comment.
Move this comment above [ACMEConfig.Production] to match the style in this file.
amppkg.example.toml
Outdated
| # This config will ne used if 'autorenewcert' is turned on and 'development' is turned on. | ||
| # All the other fields below have the same semantics as the one in ACMEConfig.Production above. |
There was a problem hiding this comment.
Ditto, move this comment above [ACMEConfig.Development].
| # DnsProvider = "gcloud" | ||
| # [ACMEConfig.Development] | ||
| # This config will ne used if 'autorenewcert' is turned on and 'development' is turned on. | ||
| # All the other fields below have the same semantics as the one in ACMEConfig.Production above. |
There was a problem hiding this comment.
I would add a suggestion of Let's Encrypt in development, since it's free and development-mode doesn't require the SXG extension. (This lines up with how Matt suggested use of development-mode in the talk.)
amppkg.example.toml
Outdated
| # [ACMEConfig.Development] | ||
| # This config will ne used if 'autorenewcert' is turned on and 'development' is turned on. | ||
| # All the other fields below have the same semantics as the one in ACMEConfig.Production above. | ||
| # DiscoURL = "development-acme.discovery.url" |
|
@twifkak comments fixed |
|
cc\ @alabiaga |
amppkg.example.toml
Outdated
| # | ||
| # DiscoURL = "production-acme.discovery.url" | ||
| # | ||
|
|
There was a problem hiding this comment.
Remove this blank line, so each comment is grouped with its field. So the format is like:
# Comment explaining Field. Blah blah lorem
# ipsum blah.
# Field = "foo"
# Comment explaining OtherField. Oh wow so
# interesting.
# OtherField = true
amppkg.example.toml
Outdated
| # This is the email address you used to create an account with the Certificate Authority that is registered to | ||
| # request signed exchange certificates. | ||
| # | ||
|
|
|
Wilco. It turns out I can just make the changes in this case. |
Updating amppackage.example.toml documentation for newly added fields for cert autorenewal.
Addresses #93