-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always publish router-ca configmap #329
Always publish router-ca configmap #329
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: benjaminapetersen The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This strategy was rejected by the auth team: openshift/cluster-kube-apiserver-operator#222 (comment) Also, I don't think it solves the problem you want to solve—if the |
Can we get an EP instead? This topic is too confused to reason about through disconnected conversations in the context of the ingress operator. Can we spell out exactly what is published and under what conditions, who consumes what and how? |
@benjaminapetersen: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@Miciah thanks for the details! @ironcladlou definitely in favor of that request, I would like a doc describing what is published under what circumstances so we can make a clean decision about how to consume. Is anyone owning that? |
I can put together an enhancement proposal describing |
authentication and console operators and logically oauth-proxies all need to be able to trust the default wildcard certificate for the router, regardless of where it comes from. This is needed for end-to-end health checks and oauth server trust during the three legged oauth dance. I'd like to see an enhancement from the ingress team or even better a PR from the networking team. I'm glad to see active involvement from the console team trying to resolve the issue. @sttts this has a big impact, @benjaminapetersen may need some help while I'm out on PTO. |
The situation with oauth-proxy is even worse than that: It needs both the certificate and key because oauth-proxy terminates TLS for its passthrough route with a host under the ingress domain. For that reason, the authentication operator is now using the |
openshift/enhancements#126 adds an enhancement to describe the current situation. It's a quick draft and does not address where we need to go, but it might useful as a starting point. |
@Miciah I'm a bit confused by some of these comments:
As far as I can tell that comment tries to prevent you from adding your CA in the bundle for client-CAs, and that comment is right. I don't see how that relates to always publishing the
I think this might be just a typo, but oauth-proxy does not require you to do that, it's the oauth-server.
Why wouldn't you publish the correct CA in the router-ca configMap in that case? |
All right, but if we published
You're right, it is oauth-server that needs the certificate and key. Does oauth-proxy need the CA or certificate at all?
Because we do not have it if a custom default certificate is used (or we may have it, but we would need to analyze the provided default certificate secret and check the proxy trusted CA and any other locations where it might have been provided). |
It seems we do want/need one component to do the analysis & get the correct cert to the target location in |
I recommend the conversation be taken to openshift/enhancements#126 |
No, you would have to make sure you are publishing the correct CA cert. If it signs the server cert for routes, it is in use by the ingress-operator, isn't it?
oauth-proxy needs at least the router-ca, it consumes it from
In that case, why wouldn't you grab its CA from it (or from the secret) and publish it in router-ca?
You shouldn't need to check the proxy-trusted CA, that CM should only contain a CA to connect to a MitM proxy, not to a route.
Sure, if you could only answer the questions from this comment, I'm still trying to understand the problem. |
Correct.
That would be an option, but the secret may not have the CA, and publishing |
Hm, that's bad, I would have kind of expected the CA to be always included. I guess it might make sense to revisit it in the enhancement, although it sounds like it might be hard to get such requirement in at this point |
Superseded by #331 |
@Miciah: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It seems likely we will always have a need for the
router-ca
, given several of the bugs we have been dealing with. Is there any negative in always publishing this CA?/assign @Miciah
/cc @spadgett @deads2k
per ongoing conversations