-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chart: generate a CA cert with certmanager for hubble tls generation #24505
Conversation
9b31fe4
to
bc19f80
Compare
4115708
to
35a1725
Compare
When hubble tls auto method is set to certmanager with no issuer ref, generate the CA certificate using a self-signed issuer and use this CA for the hubble issuer. Add missing server auth usage for hubble server certificate and client auth usage for hubble-relay. Previous behavior was to generate the CA certificate using helm which was confusing with the method set to certmanager. Fixes: cilium#24500 Signed-off-by: Valentin Flaux <valentin_flaux@connect-tech.sncf>
35a1725
to
65404d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Just a few small details to note here :)
@@ -996,6 +996,10 @@ hubble: | |||
# -- certmanager issuer used when hubble.tls.auto.method=certmanager. | |||
# If not specified, a CA issuer will be created. | |||
certManagerIssuerRef: {} | |||
# -- Generated CA certificate validity duration in days for the Issuer. | |||
# Only used if certManagerIssuerRef is not specified. | |||
issuerCertValidityDuration: 26280 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also needs to be set in the values.yaml.tmpl file for our helm chart and doc generating tool to work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more info about that is at https://github.com/cilium/cilium/blob/9be3b287363bbb2c1ef3160aa5e4bb2c236574fa/Documentation/contributing/development/dev_setup.rst#making-changes-to-the-helm-chart (seems to not yet be released to our docs site)
spec: | ||
commonName: Cilium CA | ||
duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.issuerCertValidityDuration 24) }} | ||
isCA: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will generate an RSA key by default, within Cilium we are already using ECDSA.
algorithm: ECDSA |
We might consider doing the same here
ca.crt: {{ .ca.Cert | b64enc }} | ||
ca.key: {{ .ca.Key | b64enc }} | ||
spec: | ||
commonName: Cilium CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might want to add Hubble here too as Cilium uses certificates for cluster mesh, service mesh, network policy... if a user sees a certificate signed by this it helps to day that it is Cilium Hubble
Commit 5587e8efacfb99cc977c2494be05f7da443bf180 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Signed-off-by: Valentin Flaux <valentin_flaux@connect-tech.sncf>
5587e8e
to
63d9843
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like @meyskens' requested changes are done, LGTM now.
Hey @vflaux, thanks for your contribution! This is an heads up that we are merging #24666, which addresses #24500 in a different way. Essentially, that PR makes it mandatory to specify the issuer configuration when using cert-manager. That targets both hubble and clustermesh related configurations, and encourages the best practice of using the same CA for all components. I personally believe it also reduces the overall confusing during operations, explicitly demanding users to select which issuer type to use, since Cilium should not be concerned with the generation of the CA as much as possible. And users can just create a self-signed issuer with whatever deployment method they are using (e.g., flux2) if they are not interested in establishing a clustermesh. Given the above, I'm closing this PR as superseded. Feel free to comment or open an issue and tag me if you feel something is still missing in this regard. |
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
When hubble tls auto method is set to certmanager with no issuer ref, generate the CA certificate using a self-signed issuer and use this CA for the hubble issuer.
Previous behavior was to generate the CA certificate using helm. It was confusing with the method set to certmanager as we could expect for all cert to be created with certmanager.
The generated secret containing the CA by helm was also missing the "tls.crt" key.
Fixes: #24500