New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-323: Separate Aggregate Client trust chain from rootCA #1831
Conversation
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
/retest |
} | ||
} | ||
|
||
func KASAggregatorSignerSecret(ns string) *corev1.Secret { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unused
func AggregateClientCAConfigMap(ns string) *corev1.ConfigMap { | ||
return &corev1.ConfigMap{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "aggregator-client-ca", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs to be wired into the KAS config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ibihim The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
CI is broken |
/retitle AUTH-323: Separate Aggregate Client trust chain from rootCA |
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
New changes are detected. LGTM label has been removed. |
/retest-required |
@ibihim: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
kasAggregateClientCA := manifests.AggregateClientCAConfigMap(hcp.Namespace) | ||
if _, err := createOrUpdate(ctx, r, kasAggregateClientCA, func() error { | ||
return pki.ReconcileAggregateClientCA(kasAggregateClientCA, p.OwnerRef, kasAggregateClientSigner) | ||
}); err != nil { | ||
return fmt.Errorf("failed to reconcile combined CA: %w", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that the configmap is missing in the control-plane of the aws run?
Also, naming should be:
kasAggregateClientCA := manifests.AggregateClientCAConfigMap(hcp.Namespace) | |
if _, err := createOrUpdate(ctx, r, kasAggregateClientCA, func() error { | |
return pki.ReconcileAggregateClientCA(kasAggregateClientCA, p.OwnerRef, kasAggregateClientSigner) | |
}); err != nil { | |
return fmt.Errorf("failed to reconcile combined CA: %w", err) | |
} | |
kasAggregatorClientCA := manifests.AggregatorClientCAConfigMap(hcp.Namespace) | |
if _, err := createOrUpdate(ctx, r, kasAggregatorClientCA, func() error { | |
return pki.ReconcileAggregatorClientCA(kasAggregatorClientCA, p.OwnerRef, kasAggregatorClientSigner) | |
}); err != nil { | |
return fmt.Errorf("failed to reconcile combined CA: %w", err) | |
} |
This is not an aggregate of anything but the client cert of the KAS API aggregator.
/close Continuing in my PR #1837 |
@stlaz: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What
This is a WIP for a distinct CA for the aggregated client certs.
Why
Signed-off-by: Krzysztof Ostrowski kostrows@redhat.com
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
Checklist