Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generate: add ca.crt to tls secrets #15

Merged
merged 2 commits into from
Apr 12, 2021
Merged

generate: add ca.crt to tls secrets #15

merged 2 commits into from
Apr 12, 2021

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Mar 23, 2021

In an effort to minimize friction and integration with cert-manager, we're aiming to generate the TLS Secrets with the same data keys as it does.

The only missing data key is ca.crt which is the Certificate of the Authority that signed the TLS certificate in tls.crt. This PR populate the ca.crt key in data accordingly.

@kaworu kaworu added the enhancement New feature or request label Mar 23, 2021
@kaworu kaworu force-pushed the pr/kaworu/add-ca.crt-to-tls-secrets branch from 915b258 to 32000be Compare March 23, 2021 13:31
@kaworu
generate: refactor (*Cert).Generate to take a *CA parameter
626cc0a 
Prepartion to keep a *CA reference in the *Cert struct, so that we can
export the CACertBytes into the generated Secret.

Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@kaworu
generate: Save the CA as ca.crt in the TLS Secret
32000be 
The rational behind this patch is to generate the same TLS Secret data
as cert-manager[1] does.

[1]: https://cert-manager.io/

Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@kaworu
Copy link
Member Author

kaworu commented Mar 23, 2021

I've pushed an image based on this PR at quay.io/kaworu/certgen:dev, you can reproduce with

% helm install cilium cilium/cilium --version 1.9.5 --namespace kube-system \
    --set hubble.enabled=true \
    --set hubble.relay.enabled=true \
    --set hubble.tls.auto.method=cronJob \
    --set certgen.image.repository=quay.io/kaworu/certgen \
    --set certgen.image.tag=dev \
    --set certgen.image.pullPolicy=Always

After the hubble-generate-certs Job is Completed, we get:

% kubectl get secrets -n kube-system hubble-server-certs  -o json | jq .data
{
  "ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNhZ0F3SUJBZ0lVT2RodnNsMEtyOGxvMzBtOFhuUnUvTHdMbkJJd0NnWUlLb1pJemowRUF3SXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TVRBek1qTXhNekE0TURCYQpGdzB5TkRBek1qSXhNekE0TURCYU1CNHhIREFhQmdOVkJBTVRFMmgxWW1Kc1pTMWpZUzVqYVd4cGRXMHVhVzh3CldUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZXZ4OU9mdkljSTVoYnREK1lFeFFQTUJtVVBienIKZ1N3aXcrdkxlKzVXaXE2emJkWEtRSlBOTHVJVC9QSHl2TEVYejYxTjFMYVBTdlpHbWRzZjVab0ZvMEl3UURBTwpCZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVU5vUmxoUENyCk5TREVJenY5RmJPZGVPTUtEV3N3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUlIMFAycUFRWHRNbHFZTEVXUXcKenV2NXdGRlQwblplbXpDVFEyTWVTbS8rQWlFQTdxMTEzSnZ3M1kwUnhjQVA1YVMrWW5CNGFLL2tyMStKSkRrZwowemRQQ2dVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
  "tls.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI3akNDQVpPZ0F3SUJBZ0lVVER0VXk1NXMyQUxwNmRpT085V1hJME0yN0lBd0NnWUlLb1pJemowRUF3SXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TVRBek1qTXhNekE0TURCYQpGdzB5TkRBek1qSXhNekE0TURCYU1Db3hLREFtQmdOVkJBTU1IeW91WkdWbVlYVnNkQzVvZFdKaWJHVXRaM0p3Cll5NWphV3hwZFcwdWFXOHdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUUl4YWJJQjRtb1luUS8KYmcvdEdkQVpXTlliakU3V3g1MGc0VUhBSnhiZ0c3bjcwcURTK3NORncwSWZyTS84VUNFT2xpZHFvNnZiTXpqMwp4MHBmclIwNW80R2lNSUdmTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNECkFUQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJTME1ya21jeVM5L3h6WEdQN0RZRTNabnVWUnFEQWYKQmdOVkhTTUVHREFXZ0JRMmhHV0U4S3MxSU1Rak8vMFZzNTE0NHdvTmF6QXFCZ05WSFJFRUl6QWhnaDhxTG1SbApabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzYVhWdExtbHZNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUUMxCjJiL0p6U2gxeXJTYlBKT1N1TTJad1ZTR3lVS3RGMFZxZ2dOejluWHNmd0loQU5nKzZBWEticXMyREhTYjhFbnkKdUhZRCtMcWRMSGFVNnF6WjlIUWxFbTdWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
  "tls.key": "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1hS3VUWWVUbHM2RlVIWWRlVjVYbWhzM2U5YkRtRFZzeDRzUWJ6K1MwZDlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQ01XbXlBZUpxR0owUDI0UDdSblFHVmpXRzR4TzFzZWRJT0ZCd0NjVzRCdTUrOUtnMHZyRApSY05DSDZ6UC9GQWhEcFluYXFPcjJ6TTQ5OGRLWDYwZE9RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
}
% kubectl get secrets -n kube-system hubble-relay-client-certs -o json | jq .data
{
  "ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNhZ0F3SUJBZ0lVT2RodnNsMEtyOGxvMzBtOFhuUnUvTHdMbkJJd0NnWUlLb1pJemowRUF3SXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TVRBek1qTXhNekE0TURCYQpGdzB5TkRBek1qSXhNekE0TURCYU1CNHhIREFhQmdOVkJBTVRFMmgxWW1Kc1pTMWpZUzVqYVd4cGRXMHVhVzh3CldUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZXZ4OU9mdkljSTVoYnREK1lFeFFQTUJtVVBienIKZ1N3aXcrdkxlKzVXaXE2emJkWEtRSlBOTHVJVC9QSHl2TEVYejYxTjFMYVBTdlpHbWRzZjVab0ZvMEl3UURBTwpCZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVU5vUmxoUENyCk5TREVJenY5RmJPZGVPTUtEV3N3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUlIMFAycUFRWHRNbHFZTEVXUXcKenV2NXdGRlQwblplbXpDVFEyTWVTbS8rQWlFQTdxMTEzSnZ3M1kwUnhjQVA1YVMrWW5CNGFLL2tyMStKSkRrZwowemRQQ2dVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
  "tls.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI2akNDQVkrZ0F3SUJBZ0lVQXppeGFNbzVubjhCYnJONEZoU0h2dGoveTdRd0NnWUlLb1pJemowRUF3SXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TVRBek1qTXhNekE0TURCYQpGdzB5TkRBek1qSXhNekE0TURCYU1DTXhJVEFmQmdOVkJBTU1HQ291YUhWaVlteGxMWEpsYkdGNUxtTnBiR2wxCmJTNXBiekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCTmJJQzBXZzFhVmR1Ty9mWVpSN0xmdHIKMW8vNy85T2svV1F6eTNzWjNocFlBbnBzUXpFMm9WbEZ1U2c5bHZRa1Y2ZTBVY09LVE5HOVpMdUFFU0dWNWNTagpnYVV3Z2FJd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGCkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCUXd0K3RibnpYR3dsb0NEVlpnQ05QL09UbHYKc3pBZkJnTlZIU01FR0RBV2dCUTJoR1dFOEtzMUlNUWpPLzBWczUxNDR3b05hekFqQmdOVkhSRUVIREFhZ2hncQpMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFJaVR4NUF6CjRLcldtY08ySmthQ1FUdVJCYzhUK1ZDS055dEpNRStvT0pBeEFpRUF3TGg2b0hrdmxPUnZpYnVGNjVqZ3BSTnQKYWtBbWRnV0trTFhucVFHQWV3UT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
  "tls.key": "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpTQ1JGL1VDVVBRamt6djYrTmxKaktsMVBINUsrc0tyc2Q1Njc0SkdHTXBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMXNnTFJhRFZwVjI0Nzk5aGxIc3QrMnZXai92LzA2VDlaRFBMZXhuZUdsZ0NlbXhETVRhaApXVVc1S0QyVzlDUlhwN1JSdzRwTTBiMWt1NEFSSVpYbHhBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
}

@kaworu kaworu marked this pull request as draft March 23, 2021 15:29
@kaworu
Copy link
Member Author

kaworu commented Mar 23, 2021

Marking as draft for now while I'm working on the required changes at https://github.com/cilium/cilium.

@kaworu kaworu mentioned this pull request Mar 23, 2021
Merged
3 tasks
@kaworu kaworu marked this pull request as ready for review March 23, 2021 19:36
@gandro gandro merged commit 38ee403 into master Apr 12, 2021
@gandro gandro deleted the pr/kaworu/add-ca.crt-to-tls-secrets branch April 12, 2021 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@rolinh rolinh rolinh approved these changes

@seanmwinn seanmwinn Awaiting requested review from seanmwinn

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kaworu @gandro @rolinh