New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include signing CA certificate in kube-apiserver
's certificate chain
#7961
Include signing CA certificate in kube-apiserver
's certificate chain
#7961
Conversation
Disabled/false by default
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for opening the PR! I have just one question which is not strictly connected to the functionality introduced with this PR. Other looks good.
case c.CA != nil: | ||
// The certificate is not a CA certificate, so we add the signing CA certificate to it and use different | ||
// keys in the secret data. | ||
cert := c.CertificatePEM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering if it make sense to copy/clone the slices always instead of returning the same underlying data in some cases 🤔 Basically if I modify the elements of a slice returned by the SecretData
function do I also expect to modify the elements of the Certificate
slice? There is the Clone function that can help to prevent that. This will also be included in the std lib with go 1.21.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you are probably right, I think this is quite theoretical and also already the case in many other places. We can certainly consider streamlining this, but probably in a different PR and not only in this particular file but perhaps the larger code base.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. I just wanted to point that out as something that can be improved in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: 2d97178d14f5b1e580095cacf6d6740044ef7a88
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: acumino, dimityrmirchev The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-gardener-integration |
gardener#7961) * Support inclusion of CA in server cert chain Disabled/false by default * Include CA in `kube-apiserver`'s server cert chain
How to categorize this PR?
/area security
/kind enhancement
What this PR does / why we need it:
With this PR, the certificate chain of
kube-apiserver
not only includes its server certificate but also the CA certificate used to sign it.Which issue(s) this PR fixes:
Fixes #7905
Special notes for your reviewer:
/cc @dimityrmirchev
Release note: