You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently, for multi-cluster allocation the client secret is expected to have the server CA. However, this is not compatible with the out-of-the-box certificate management solutions (e.g. cert-manager).
Describe the solution you'd like
GameServerAllocationPolicy has the information about the remote cluster allocation endpoint. The server CA should be a field under connectionInfo, and only provided if the remote server cert is not signed by a public CA (e.g. self-signed). This will be similar to caBundle model in k8s webhooks.
The solution should be backward compatible to support the existing client secret setup, meaning if the secretCA is set in GameServerAllocationPolicy, use it. Otherwise, fall back to the existing solution of using ca.crt from the client secret.
Describe alternatives you've considered
Instead of storing the base64 PEM encoded secret for server CA in connectionInfo, the value can be stored in a k8s secret and a reference to the secret is stored in the GameServerAllocationPolicy. However, because server CA is the public portion of the certificate, there is no security reason for storing it in the k8s secret. It also will add an extra resource read to the multi-cluster allocation operation to read the server CA secret.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Currently, for multi-cluster allocation the client secret is expected to have the server CA. However, this is not compatible with the out-of-the-box certificate management solutions (e.g. cert-manager).
Describe the solution you'd like
GameServerAllocationPolicy has the information about the remote cluster allocation endpoint. The server CA should be a field under connectionInfo, and only provided if the remote server cert is not signed by a public CA (e.g. self-signed). This will be similar to caBundle model in k8s webhooks.
The solution should be backward compatible to support the existing client secret setup, meaning if the secretCA is set in GameServerAllocationPolicy, use it. Otherwise, fall back to the existing solution of using ca.crt from the client secret.
Describe alternatives you've considered
Instead of storing the base64 PEM encoded secret for server CA in connectionInfo, the value can be stored in a k8s secret and a reference to the secret is stored in the GameServerAllocationPolicy. However, because server CA is the public portion of the certificate, there is no security reason for storing it in the k8s secret. It also will add an extra resource read to the multi-cluster allocation operation to read the server CA secret.
The text was updated successfully, but these errors were encountered: