Use self-signed default router certificate #109
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
openshift-ci-robot
added
the
approved
|
What about storing the CA cert itself in |
Yeah, that seems reasonable. We still want to put the secret for the default certificate in |
|
/retest |
|
/hold |
openshift-ci-robot
added
do-not-merge/hold
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
da0cb43
to
6ef8c19
Compare
openshift-ci-robot
removed
the
needs-rebase
|
Latest push adds a |
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
6ef8c19
to
db522b1
Compare
|
/retest |
1 similar comment
|
/retest |
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
db522b1
to
a2f816f
Compare
|
Latest push changes the name of the CA certificate in the |
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
a2f816f
to
4fa14e3
Compare
|
Fix |
|
/retest |
| @@ -8,6 +8,7 @@ rules: | |||
| - "" | |||
| resources: | |||
| - namespaces | |||
| - secrets | |||
There was a problem hiding this comment.
Yeah, but how can you get around that? That's the problem with this approach.
At least it's not the router that can read secrets.
There was a problem hiding this comment.
True. Only way I know of to get around it is to let the CVO create the openshift-ingress namespace and a role binding in that namespace for the operator SA.
There was a problem hiding this comment.
After further discussion, we decided to defer this issue for now.
|
@ericavonb @enj @mrogers950 FYI & please feel free to comment |
|
LGTM but I'll hold off tagging until @Miciah has had a chance to comment on whether he's satisfied |
| return fmt.Errorf("failed to get CA certificate: %v", err) | ||
| } | ||
| hostnames := sets.NewString(fmt.Sprintf("*.%s", *ci.Spec.IngressDomain)) | ||
| cert, err := ca.MakeServerCert(hostnames, 0) |
There was a problem hiding this comment.
Rather than a single creation of the CA and cert, you should use the library-go certificate rotators. You'll get creation and rotation on both for free.
CA rotator example:
https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/certrotationcontroller/certrotationcontroller.go#L150
Server cert rotator example: https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/certrotationcontroller/certrotationcontroller.go#L175
There was a problem hiding this comment.
@mrogers950, thanks for the pointer! It looks like certrotationcontroller is designed to handle a single server certificate whereas we want to have one per router. Does library-go have something we can use to manage multiple server certifcates, or will it only work for the signing certificate and bundle? Anyway, certificate rotation is descoped for 4.0, so I'll add a TODO.
There was a problem hiding this comment.
Yeah, right now there's one client+server+CA set per controller, so you would need one controller per router.
|
Latest push squashes the RBAC change into the main commit; removes the metrics-certs secret, volume, and environment variables; and adds a TODO to use certrotationcontroller. |
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
4fa14e3
to
6b9ab0a
Compare
Miciah
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
Generate a CA certificate and use it to generate default certificates for routers. Publish the CA certificate in a configmap, which can be incorporated into CA bundles in order to trust the default certificates. This commit resolves NE-139. https://jira.coreos.com/browse/NE-139 * manifests/00-cluster-role.yaml: Grant the operator create, get, list, watch, and delete access to secrets. * pkg/manifests/manifests.go (RouterServiceInternal): Change serving-cert secret name so as not to conflict with the secret that the operator creates. * pkg/manifests/manifests_test.go (TestManifests): Adjust for the change to RouterServiceInternal. * pkg/operator/controller/controller.go (caCertSecretName): (caCertConfigMapName): New constants for the name of the secret and configmap for the CA certificate. (CACert): New type to hold a cached copy of the CA certificate and to keep track of the resource versions of the most recently successfully observed secret and configmap for the CA certificate. (Config): Add CACert field. (ensureRouterForIngress): Call ensureDefaultCertificateForIngress. (ensureDefaultCertificateForIngress): New function to check that a default certificate exists for a given ClusterIngress, and generate a certificate and create a secret for it if none exists. Use ensureRouterCACertificate to get the certificate used to sign the default certificate. (ensureRouterCACertificate): New function to get the CA certificate for signing default certificates, and generate a CA certificate and create a configmap and secret for it if none exists. * test/e2e/operator_test.go (TestRouterCACertificate): New test that gets the configmap with the CA certificate and verifies that the router's default certificate is valid using the CA certificate.
Miciah
force-pushed
the
NE-139-use-self-signed-default-routing-certificate
branch
from
6b9ab0a
to
228c9b3
Compare
|
Latest push changes the annotation on the internal router service so the serving-cert signer will not stomp the secret that the operator creates. |
|
/retest |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ironcladlou, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add library-go dependency
Use self-signed default router certificate
Generate a CA certificate and use it to generate default certificates for routers. Publish the CA certificate in a configmap, which can be incorporated into CA bundles in order to trust the default certificates.
This PR resolves NE-139.
manifests/00-cluster-role.yaml: Grant the operator create, get, list, watch, and delete access to configmaps.pkg/manifests/manifests.go(RouterServiceInternal): Change serving-cert secret name so as not to conflict with the secret that the operator creates.pkg/manifests/manifests_test.go(TestManifests): Adjust for the change toRouterServiceInternal.pkg/operator/controller/controller.go(caCertSecretName):(
caCertConfigMapName): New constants for the name of the secret and configmap for the CA certificate.(
CACert): New type to hold a cached copy of the CA certificate and to keep track of the resource versions of the most recently successfully observed secret and configmap for the CA certificate.(
Config): AddCACertfield.(
ensureRouterForIngress): CallensureDefaultCertificateForIngress.(
ensureDefaultCertificateForIngress): New function to check that a default certificate exists for a given ClusterIngress, and generate a certificate and create a secret for it if none exists. UseensureRouterCACertificateto get the certificate used to sign the default certificate.(
ensureRouterCACertificate): New function to get the CA certificate for signing default certificates, and generate a CA certificate and create a configmap and secret for it if none exists.test/e2e/operator_test.go(TestRouterCACertificate): New test that gets the configmap with the CA certificate and verifies that the router's default certificate is valid using the CA certificate.@ironcladlou, this is WIP for now because the implementation currently requires far too broad permissions for the operator.