-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use self-signed default router certificate #109
Use self-signed default router certificate #109
Conversation
What about storing the CA cert itself in |
Yeah, that seems reasonable. We still want to put the secret for the default certificate in |
/retest |
/hold |
da0cb43
to
6ef8c19
Compare
Latest push adds a |
6ef8c19
to
db522b1
Compare
/retest |
1 similar comment
/retest |
db522b1
to
a2f816f
Compare
Latest push changes the name of the CA certificate in the |
a2f816f
to
4fa14e3
Compare
Fix |
/retest |
@@ -8,6 +8,7 @@ rules: | |||
- "" | |||
resources: | |||
- namespaces | |||
- secrets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ouch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, but how can you get around that? That's the problem with this approach.
At least it's not the router that can read secrets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True. Only way I know of to get around it is to let the CVO create the openshift-ingress
namespace and a role binding in that namespace for the operator SA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After further discussion, we decided to defer this issue for now.
@ericavonb @enj @mrogers950 FYI & please feel free to comment |
LGTM but I'll hold off tagging until @Miciah has had a chance to comment on whether he's satisfied |
return fmt.Errorf("failed to get CA certificate: %v", err) | ||
} | ||
hostnames := sets.NewString(fmt.Sprintf("*.%s", *ci.Spec.IngressDomain)) | ||
cert, err := ca.MakeServerCert(hostnames, 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than a single creation of the CA and cert, you should use the library-go certificate rotators. You'll get creation and rotation on both for free.
CA rotator example:
https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/certrotationcontroller/certrotationcontroller.go#L150
Server cert rotator example: https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/certrotationcontroller/certrotationcontroller.go#L175
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mrogers950, thanks for the pointer! It looks like certrotationcontroller is designed to handle a single server certificate whereas we want to have one per router. Does library-go have something we can use to manage multiple server certifcates, or will it only work for the signing certificate and bundle? Anyway, certificate rotation is descoped for 4.0, so I'll add a TODO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, right now there's one client+server+CA set per controller, so you would need one controller per router.
Latest push squashes the RBAC change into the main commit; removes the metrics-certs secret, volume, and environment variables; and adds a TODO to use certrotationcontroller. |
4fa14e3
to
6b9ab0a
Compare
Generate a CA certificate and use it to generate default certificates for routers. Publish the CA certificate in a configmap, which can be incorporated into CA bundles in order to trust the default certificates. This commit resolves NE-139. https://jira.coreos.com/browse/NE-139 * manifests/00-cluster-role.yaml: Grant the operator create, get, list, watch, and delete access to secrets. * pkg/manifests/manifests.go (RouterServiceInternal): Change serving-cert secret name so as not to conflict with the secret that the operator creates. * pkg/manifests/manifests_test.go (TestManifests): Adjust for the change to RouterServiceInternal. * pkg/operator/controller/controller.go (caCertSecretName): (caCertConfigMapName): New constants for the name of the secret and configmap for the CA certificate. (CACert): New type to hold a cached copy of the CA certificate and to keep track of the resource versions of the most recently successfully observed secret and configmap for the CA certificate. (Config): Add CACert field. (ensureRouterForIngress): Call ensureDefaultCertificateForIngress. (ensureDefaultCertificateForIngress): New function to check that a default certificate exists for a given ClusterIngress, and generate a certificate and create a secret for it if none exists. Use ensureRouterCACertificate to get the certificate used to sign the default certificate. (ensureRouterCACertificate): New function to get the CA certificate for signing default certificates, and generate a CA certificate and create a configmap and secret for it if none exists. * test/e2e/operator_test.go (TestRouterCACertificate): New test that gets the configmap with the CA certificate and verifies that the router's default certificate is valid using the CA certificate.
6b9ab0a
to
228c9b3
Compare
Latest push changes the annotation on the internal router service so the serving-cert signer will not stomp the secret that the operator creates. |
/retest |
/hold cancel |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ironcladlou, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add library-go dependency
Use self-signed default router certificate
Generate a CA certificate and use it to generate default certificates for routers. Publish the CA certificate in a configmap, which can be incorporated into CA bundles in order to trust the default certificates.
This PR resolves NE-139.
manifests/00-cluster-role.yaml
: Grant the operator create, get, list, watch, and delete access to configmaps.pkg/manifests/manifests.go
(RouterServiceInternal
): Change serving-cert secret name so as not to conflict with the secret that the operator creates.pkg/manifests/manifests_test.go
(TestManifests
): Adjust for the change toRouterServiceInternal
.pkg/operator/controller/controller.go
(caCertSecretName
):(
caCertConfigMapName
): New constants for the name of the secret and configmap for the CA certificate.(
CACert
): New type to hold a cached copy of the CA certificate and to keep track of the resource versions of the most recently successfully observed secret and configmap for the CA certificate.(
Config
): AddCACert
field.(
ensureRouterForIngress
): CallensureDefaultCertificateForIngress
.(
ensureDefaultCertificateForIngress
): New function to check that a default certificate exists for a given ClusterIngress, and generate a certificate and create a secret for it if none exists. UseensureRouterCACertificate
to get the certificate used to sign the default certificate.(
ensureRouterCACertificate
): New function to get the CA certificate for signing default certificates, and generate a CA certificate and create a configmap and secret for it if none exists.test/e2e/operator_test.go
(TestRouterCACertificate
): New test that gets the configmap with the CA certificate and verifies that the router's default certificate is valid using the CA certificate.@ironcladlou, this is WIP for now because the implementation currently requires far too broad permissions for the operator.