-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[devworkspace] Generate webhook server cert with job on kubernetes #17855
Comments
Why aren't we using certmanager on Kubernetes? It looks like the industry-trusted tool to manage certificates on Kubernetes. |
Better to ask deploy team. @tolusha @mmorhun Do you have any comments why we moved from cert-manager on operator/chectl side? |
At the first iteration of bringing TLS by default into Eclispe Che we used Cert-Manager with helm installer. At that point it sounded like a perfect solution. However, some experience showed, that it has own downsides. What I recall:
So, for operator we decided to use our own lightweight job which just have work done. Operator launches it, if there is no existing certificate, so a user can just precreate one manually or via Cert-Manager or another tool and Che will use it. |
P.S. Depending on cert-manager operator means be blocked to support OpenShift 4.6 until they migrate to the new bundle format ) And it even does not seems to be present on operatorhub.io https://operatorhub.io/?keyword=manager |
I was always wondering how it is possible to accidentally close issue. It is. Sorry, reopened. |
@sleshchenko I am sorry for not spotting that before but I don't want us to make bad decisions that we may need to pay in the future. We are not in the certificate management business. Maintaining a certificate manager is something I don't want us to deal with. I want to be really sure that there are no better alternatives.
On OpenShift we should not use certmanager but the cert signing service. @mmorhun I am not sure if certmanager is the right tool (maybe cfssl is a better choice?) but we definitely should avoid using che-cert-manager-ca-cert-generator-image because that's an hack that works for a PoC.
I am perfectly ok if we provide a link to the instructions for configuring certmanager. We should not generate the CA key/certificate, the user should do that with its PKI infra.
Che operator should not install/configure certmanager. It should be a pre-requisite.
Sure but the effort is justified because we will support an industry standard. Whereas maintaining our certificate signer image is something that have less value: customers cannot really use it in production (we do not manage certs rotations, revocation etc...).
Again: that should not be part of Che installation time. |
@l0rd I'm OK if we'll try to find a better approach.
Good point! But we still benefit from using cert-gen job while local testing, as well as users who just getting familiar with Che on their minikubes (if any =) )
If we agree on some plan like above - on devworkspace controller side, we won't make cert gen as controller part and like previously we'll generate certificates as deployment prerequisites(now one for webhook server, later +1 for workspaces endpoints), with a non-production makefile rule that will init certificates on minikube; Devworkspace Operator aspect: P.S. Sorry for too many words, I just tried to be clear enough and it does not seem to be a simple topic where I can be short at well. |
I don't understand. The nginx ingress controller comes with a default TLS certificate. If the secret in the Ingress is omitted then the nginx default one will be used. What's the motivation that pushed us to generate an untrusted certificate when we could use nginx default one? I am talking mainly of minikube and I have an hello world sample here that works on minikube. |
For devworkspace I would disable the webhook if no cert+key is provided and the cluster doesn't provide a cert signing service. |
@mmorhun |
@l0rd it was done to have valid self-signed certificate. In case of nginx default certificate we have DNS mismatch. Moreover, some tools require CA certificate, but nginx default one is just self-signed server certificate. |
@sleshchenko @mmorhun you are right about the default ngninx cerficate. I have created a separate issue for a kube cluster with a valid certificate though #18079. And with single host + usage of internal services rather than ingresses we should not need to generate a cert even with that invalid cert (I will log a separate issue for that too). |
On a 4.5.4 CRC cluster, see 2
I also tested on a 4.6.0.rc0 cluster started with cluster-bot, and it has the same 2 As for the fact that is is not on the |
David thanks for sharing info. It's was mistake to reference OpenShift 4.6. I mainly wanted to solve an issue with a certificate manager for devworkspace operator on kubernetes. |
@l0rd We merged the PR since a pretty good job is done there and it solves our issue with multiple deployments support for k8s and OpenShift. Thank you for raising an issue with preferences not to use Che dependent cert gen job. I've created a separate issue to agree on a better alternative devfile/devworkspace-operator#170 |
thank you @sleshchenko |
Thanks for the details @sleshchenko. |
Total aside, but I'm worried about updating to Operator SDK 1.0 -- I poked a bit at it last week and it seems like it could potentially be a very error-prone process (the upgrade guide is "bootstrap a new project and copy file contents over"). |
Is your enhancement related to a problem? Please describe.
Currently. devworkspace controller with webhooks enabled needs certificate.
On the OpenShift we use out-of-the-box to generate such a certificate, for the Kubernetes we have pre-install step to generate those certificates and create them on the cluster.
It's needed to rework that pre-install step to be performed on the same level, as for OpenShift infra: webhook server deploying.
To generate certificates it's proposed to reuse the same job as Che Operators uses https://github.com/eclipse/che-operator/blob/master/pkg/deploy/tls.go#L277
The text was updated successfully, but these errors were encountered: