-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-296: Finish the removal of the root CA #1031
Conversation
8e05819
to
700e744
Compare
/retest-required |
2505ac6
to
3bd4f5a
Compare
3bd4f5a
to
b560269
Compare
/retest |
@stlaz: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
b560269
to
fe61452
Compare
The errors turned out to be because of the changes to assets locations, should be fixed now |
kind: Secret | ||
metadata: | ||
namespace: openshift-ingress | ||
name: router-certs-default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this name match the change in service-internal.yaml?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it shouldn't, these are two different secrets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is more aligned with what OCP has, right?
An OCP 4.12 cluster has the following objects:
oc --kubeconfig kubeconfig-clusterbot get secret router-certs-default -n openshift-ingress
NAME TYPE DATA AGE
router-certs-default kubernetes.io/tls 2 41m
[root@maxwell ~]# oc --kubeconfig kubeconfig-clusterbot get svc router-internal-default -n openshift-ingress -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-secret-name: router-metrics-certs-default
service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1667219307
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1667219307
creationTimestamp: "2022-10-31T12:29:41Z"
labels:
ingresscontroller.operator.openshift.io/owning-ingresscontroller: default
name: router-internal-default
namespace: openshift-ingress
ownerReferences:
- apiVersion: apps/v1
controller: true
kind: Deployment
name: router-default
uid: 158f6632-1e72-42e1-a455-e3412ac5666a
resourceVersion: "9123"
uid: daded2dc-55fd-41b1-b690-a46e11a5b171
spec:
clusterIP: 172.30.158.236
clusterIPs:
- 172.30.158.236
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
- name: metrics
port: 1936
protocol: TCP
targetPort: 1936
selector:
ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, OCP separates the trust for external (routes) and internal cluster services.
In OCP, for the router, we use the internal router port to scrape metrics from, and so on the service network we use the service-ca-signed certificate, as that is the certificate Prometheus should trust for these purposes.
Service-CA should only ever sign the internal services so that services running in the cluster can choose to only trust the internal cluster traffic. The external router interface is signed by a different certificate that, unlike the service-ca cert, should appear in the end-user trust bundle.
@stlaz could you please rebase? |
90f7f90
to
1deea1b
Compare
@oglok done! 👍 |
Ok, PR has been reviewed and tested. Great work @stlaz ! Glad to be merging this important milestone! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: oglok, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR does a couple of things in order to be able to finally remove the root CA:
depends on: