-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trust cluster-ingress-operator's CA certificate #145
Trust cluster-ingress-operator's CA certificate #145
Conversation
This commit is related to NE-139. https://jira.coreos.com/browse/NE-139 * pkg/operator/targetconfigcontroller/targetconfigcontroller.go (manageServiceAccountCABundle): Incorporate cluster-ingress-operator's CA certificate into the trust bundle.
@@ -228,6 +228,9 @@ func manageServiceAccountCABundle(lister corev1listers.ConfigMapLister, client c | |||
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "managed-kube-apiserver-serving-cert-signer"}, | |||
// for now, include the CA we use to sign CSRs | |||
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "csr-controller-ca"}, | |||
// include the ca bundle needed to recognize default | |||
// certificates generated by cluster-ingress-operator | |||
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "router-ca"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Miciah this looks fine. I assume the cluster-ingress-operator
going to create / manage the router-ca
config map in openshift-config-managed
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! It will, yeah, pending openshift/cluster-ingress-operator#110 and openshift/cluster-ingress-operator#111.
@openshift/sig-master PTAL |
/retest |
@Miciah is the test failure related? |
I hate that we're doing this. This is dirtying the ca-bundle used to trust the kube-apiserver, opening new avenues for attack, and resulting a big ball of trust where signers that should only be trusted for constrained purposes are now being trusted for other purposes. I'm going to make @openshift/sig-auth sign off on destroying trust in our cluster. /approve |
/assign @enj |
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, Miciah, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/retest |
/test e2e-aws |
/retest |
This commit is related to NE-139.
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
(manageServiceAccountCABundle
): Incorporate cluster-ingress-operator's CA certificate into the trust bundle.