New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1788712: publish a router-ca that can be used to verify routes in golang clients #331
Conversation
errs = append(errs, fmt.Errorf("failed to get custom router cert: %v", err)) | ||
return result, utilerrors.NewAggregate(errs) | ||
} | ||
caBundle = string(controllerMaintainedSigningCertKey.Data["tls.crt"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be secret.Data["tls.crt"]
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Why is the default ingress controller more secure than any other ingress controller? |
On a typical cluster, it is more sensitive because it has the domain that is used for OAuth. |
It's created and managed by the platform. The rest are not. |
The cluster ingress operator deployment only manages ingresscontrollers that the cluster administrator creates in the |
I'm planning to update this so that instead of changing the meaning of an existing configmap, we also create one named |
Thanks! I have updated openshift/enhancements#126 to describe the approach that David describes above (#331 (comment)). @deads2k, we talked about always publishing the default certificate rather than the CA certificate (even in the case that the operator has generated the default certificate and therefore has the CA certificate); if take that approach, do you want to change the name of the new ConfigMap from |
/retest |
@deads2k, I see you changed
|
0ad39c1
to
7005e5c
Compare
…in golang clients
/retest |
1 similar comment
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherrypick release-4.3 |
@Miciah: new pull request created: #336 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle Bug 1788712: publish a router-ca that can be used to verify routes in golang clients |
@deads2k: All pull requests linked via external trackers have merged. Bugzilla bug 1788712 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
An explanation in code of how to fill in the router-ca.
Immediate mission: allow the default-ingress-ca to always contain a ca-bundle.crt that golang clients can use to validate the ingress wildcard certificate for the default ingresscontroller. To do this
oc get -n openshift-ingress-operator ingresscontroller/default
, do not publish.data["tls.crt "]
value in that secret to therouter-ca.data["ca-bundle.crt"]
ensureRouterCASecret
secret's.data.["tls.crt"]
If we can agree to this approach to solve the immediate 4.1, 4.2, and 4.3 problem, then we can update the enhancement.
Future mission: it may be useful to have a ca bundle that can terminate any ingress wildcard. This seems simple, but it has security repercussions that would effectively be elevating privilege for every ingress-controller. We have to decide if this ingress-controllers are system trusted or not. Those that are not may not update this configmap. I suspect this is already a security hole.