Bug 1788712: publish a router-ca that can be used to verify routes in golang clients #331
Conversation
openshift-ci-robot
added
the
size/L
| errs = append(errs, fmt.Errorf("failed to get custom router cert: %v", err)) | ||
| return result, utilerrors.NewAggregate(errs) | ||
| } | ||
| caBundle = string(controllerMaintainedSigningCertKey.Data["tls.crt"]) |
There was a problem hiding this comment.
This should be secret.Data["tls.crt"], right?
Why is the default ingress controller more secure than any other ingress controller? |
On a typical cluster, it is more sensitive because it has the domain that is used for OAuth. |
It's created and managed by the platform. The rest are not. |
The cluster ingress operator deployment only manages ingresscontrollers that the cluster administrator creates in the |
|
I'm planning to update this so that instead of changing the meaning of an existing configmap, we also create one named |
|
Thanks! I have updated openshift/enhancements#126 to describe the approach that David describes above (#331 (comment)). @deads2k, we talked about always publishing the default certificate rather than the CA certificate (even in the case that the operator has generated the default certificate and therefore has the CA certificate); if take that approach, do you want to change the name of the new ConfigMap from |
|
/retest |
|
@deads2k, I see you changed
|
deads2k
force-pushed
the
router-ca
branch
2 times, most recently
from
0ad39c1
to
7005e5c
Compare
…in golang clients
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/cherrypick release-4.3 |
|
@Miciah: new pull request created: #336 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retitle Bug 1788712: publish a router-ca that can be used to verify routes in golang clients |
openshift-ci-robot
changed the title
|
@deads2k: All pull requests linked via external trackers have merged. Bugzilla bug 1788712 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
An explanation in code of how to fill in the router-ca.
Immediate mission: allow the default-ingress-ca to always contain a ca-bundle.crt that golang clients can use to validate the ingress wildcard certificate for the default ingresscontroller. To do this
oc get -n openshift-ingress-operator ingresscontroller/default, do not publish.data["tls.crt "]value in that secret to therouter-ca.data["ca-bundle.crt"]ensureRouterCASecretsecret's.data.["tls.crt"]If we can agree to this approach to solve the immediate 4.1, 4.2, and 4.3 problem, then we can update the enhancement.
Future mission: it may be useful to have a ca bundle that can terminate any ingress wildcard. This seems simple, but it has security repercussions that would effectively be elevating privilege for every ingress-controller. We have to decide if this ingress-controllers are system trusted or not. Those that are not may not update this configmap. I suspect this is already a security hole.