Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust cluster-ingress-operator's CA certificate #145

Merged
merged 1 commit into from
Feb 6, 2019
Merged

Trust cluster-ingress-operator's CA certificate #145

merged 1 commit into from
Feb 6, 2019

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Feb 4, 2019

This commit is related to NE-139.

  • pkg/operator/targetconfigcontroller/targetconfigcontroller.go (manageServiceAccountCABundle): Incorporate cluster-ingress-operator's CA certificate into the trust bundle.

@Miciah
Trust cluster-ingress-operator's CA certificate
5c652ed 
This commit is related to NE-139.

https://jira.coreos.com/browse/NE-139

* pkg/operator/targetconfigcontroller/targetconfigcontroller.go
(manageServiceAccountCABundle): Incorporate cluster-ingress-operator's CA
certificate into the trust bundle.
@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 4, 2019
enj
enj reviewed Feb 4, 2019
View reviewed changes
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -228,6 +228,9 @@ func manageServiceAccountCABundle(lister corev1listers.ConfigMapLister, client c
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "managed-kube-apiserver-serving-cert-signer"},
// for now, include the CA we use to sign CSRs
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "csr-controller-ca"},
// include the ca bundle needed to recognize default
// certificates generated by cluster-ingress-operator
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "router-ca"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Miciah this looks fine. I assume the cluster-ingress-operator going to create / manage the router-ca config map in openshift-config-managed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! It will, yeah, pending openshift/cluster-ingress-operator#110 and openshift/cluster-ingress-operator#111.

@enj
Copy link
Contributor

enj commented Feb 4, 2019

@openshift/sig-master PTAL

@Miciah Miciah mentioned this pull request Feb 4, 2019
Closed
@enj
Copy link
Contributor

enj commented Feb 5, 2019

/retest

@enj
Copy link
Contributor

enj commented Feb 5, 2019

@Miciah is the test failure related?

@deads2k
Copy link
Contributor

deads2k commented Feb 5, 2019

I hate that we're doing this. This is dirtying the ca-bundle used to trust the kube-apiserver, opening new avenues for attack, and resulting a big ball of trust where signers that should only be trusted for constrained purposes are now being trusted for other purposes.

I'm going to make @openshift/sig-auth sign off on destroying trust in our cluster.

/approve

@deads2k
Copy link
Contributor

deads2k commented Feb 5, 2019

/assign @enj

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 5, 2019
@smarterclayton
Copy link
Contributor

/approve

@enj
Copy link
Contributor

enj commented Feb 5, 2019

The sins of the father are to be laid upon the children.

/lgtm
/retest

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2019
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, Miciah, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@enj
Copy link
Contributor

enj commented Feb 6, 2019

/retest
/refresh

@enj
Copy link
Contributor

enj commented Feb 6, 2019

/retest

@enj
Copy link
Contributor

enj commented Feb 6, 2019

/test e2e-aws

@openshift-bot
Copy link
Contributor

/retest

@openshift-merge-robot openshift-merge-robot merged commit 7dde0f1 into openshift:master Feb 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj left review comments

@soltysh soltysh Awaiting requested review from soltysh

@sttts sttts Awaiting requested review from sttts

Assignees

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@Miciah @enj @deads2k @smarterclayton @openshift-ci-robot @openshift-bot @openshift-merge-robot