-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-296: work out etcd certificates #975
Conversation
d0df9ab
to
44227dc
Compare
This PR now follows the certificate configuration from https://github.com/stlaz/etcd-certs. |
/test e2e-openshift-conformance-sig-node |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the purpose of the .image_references
empty file? What do we gain in terms of security by making this repo unimportable?
I do not know its purpose. The repository is currently unimportable because the filename is malformed, the commit is fixing it. |
/retest |
/lgtm |
The dot at the end of the filename makes this repository unimportable from outside
somehow a lonely |
/test periodic-ocp-4.13-images |
@stlaz: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
@oglok I think this might be good for re-tagging 🙂 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: oglok, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I was not yet able to learn what's important for etcd serving/peer certs so I'm going with minimal config where client certificates only follow the kube CN and O schemes, and serving certificates get their hostnames in DNS/IPs SANs.
The PR is rebased on top of #970 and can only merge once this one merges.
It's very likely that we may not see any failures in etcd because no peer communication is likely to happen with just one etcd instance. I'll need to test the cert setup with at least 2 etcds or ask someone with the necessary knowledge about how the peer certs should look like.