New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix OpenShift example #7591
Fix OpenShift example #7591
Conversation
/cc @deads2k |
e289f82
to
1427b43
Compare
Another use case brought up by this: It's very difficult to use TLS on service accounts today. The signer cert has to be kept separate from the infrastructure, you have to generate the cert after the service is created (to get both the DNS name and the portalIP), and it's a lot of manual steps. After seeing how we could do auto secret generation from the service account, I'm inclined to replicate that solution for service certificates. A user in a namespace would create a secret with a name or annotation matching a service name and a secret.type "ServiceTLSCertificate". A controller (that has access to a signing cert for a CA that pods in the cluster can trust) would see that secret was created and fill out a cert for the service portalIP and DNS named by the secret's annotation. Any pods in that service could then mount that secret and have a cert automatically generated. The consumers of the service could get the CA for the service from DNS (which could automatically add the CA to DNSSEC via skydns). |
63e2ef5
to
1439a64
Compare
Any chance we can merge this now? openshift/origin#2055 merged so the updated Docker images should have no more problems doing WATCH against Kubernetes resources. |
Stop breaking travis |
Boilerplate is wrong |
Just like @eparis to change boilerplate text and mess up my PRs, this should be all set now ;-) |
LGTM, will merge on green |
I like stomping on people's PRs! |
All known flakes. |
Fixes #4997
This example requires OpenShift merges: openshift/origin#2015
I think an interesting use case driven from this example is the common need to take a set of files and bundle them into a secret. We have an experimental command that does this in OpenShift, but it is useful, and would be probably of general value to Kubernetes.
/cc @smarterclayton you should hopefully see this is much simpler now.