modules/tls: modularize TLS provisioning #1811
Conversation
|
/cc @alexsomesan @squat |
|
ok to test |
alexsomesan
requested review from
aaronlevy,
alekssaul,
alexsomesan and
coresolve
|
ok to test |
|
ok to test |
|
My 30 second take would be:
This would need to have migration code written to copy the kube-ca in existing clusters to the oidc-ca.crt in the secret file.
Would require that the above migration is done so that the new secret/path exists. Then if patch implementation is finished this flag could be fixed as part of normal update process. If it's not finished, need to write migration for all existing clusters to update to the new path.
If we can get the patch implementation finished, this should be handled with the normal manifest update. If not, we need to write migration code to add this env var to all existing clusters.
As long as names/paths didn't change, and only the content this is probably fine. |
|
Thanks for the heads up, this is a good candidate for early testing using the merge strategy. |
| type: Opaque | ||
| data: | ||
| ca-cert: ${ca_cert} | ||
| ca-cert: ${ingress_ca_cert} |
There was a problem hiding this comment.
This needs to be the CA cert for the CA that signed the identity certificates, not the CA that signed the ingress certs. In its current state, tectonic-console will fail to come up because the identity TLS certs are not trusted. I don't think anyone actually requires the ingress CA cert. We can remove it from the ingress certs module API.
There was a problem hiding this comment.
In our current setup yes, but not in the case of user-provided, externally signed certs. In the case of user provided certs this is the public CA that signed the ingress CSR, i.e. some public authority (I used let's encrypt for my tests).
You need to set BRIDGE_DEX_CLIENT_CA_FILE (Dex's identity GRPC client CA) in console, otherwise console would crash loop as you mentioned, see 40da8e2#diff-75010753e0caeb22b20777ee897ebebdR102. (I don't see this setting in your PR https://github.com/coreos/tectonic-installer/pull/1818/files).
Side note: I tested successfully this PR with certs signed with let's encrypt, providing them as described in https://github.com/s-urbaniak/tectonic-installer/blob/40da8e2a840df0254c15c5b90947e561812bc563/modules/tls/ingress/user-provided/README.md.
I hope that clarifies it a bit. I will draw a graph today which gives more clarity about our TLS topology. @sym3tri and me yesterday did a first pass and he documented the results in https://docs.google.com/document/d/1nRkwCCL5QkqeqUwMPo1ax2gBLzQ-x7keMI98pSxljL4/edit.
There was a problem hiding this comment.
Hmm there is one detail that seems odd to me. Does console use BRIDGE_CA_FILE as the Dex CA cert if that cert is not explicitly passed? That is a funny gotcha that we should rectify.
There was a problem hiding this comment.
Yes, just confirmed that dex ca defaults to the console ca, that's was the source of my confusion. I'll make sure to add both flags to my PR as well.
|
ok to test |
2 similar comments
|
ok to test |
|
ok to test |
|
just fyi: also tested that this change becomes idempotent in conjunction with the changes made in the kvo. |
|
@alexsomesan PTAL, CI is flaky, but this PR used to be green (just moved one line in env vars) and tested locally. |
alexsomesan
left a comment
alexsomesan
left a comment
There was a problem hiding this comment.
Looks great from a TF perspective.
I'll trigger the tests one more time.
Ideally we pair this up with a smoke test that procures some certs, injects them into the installer and checks from a client's perspective if all looks as expected.
But I presume that's quite a bit of work, so most likely should be a follow up.
|
retest this please |
This adds a new modules under `modules/tls/*` which is necessary for swappable TLS certificates.
Currently everything is based off the Kube CA certificate. This changes it by: 1. Configuring a dedicated Dex client CA in Tectonic console pointing to the identity grpc client CA. 2. Configuring a dedicated OIDC CA certificate for the API server. 3. Configuring a dedicated ingress CA certificate for the Tectonic console. This will allow to specify separate CA certificates.
Definitely 👍 we can do this though only once optional modules land, currently this is a manual process. |
hence merging to move forward. |
This reverts commit db65ea2.
We set this in both kube-apiserver-secret.go and openshift-apiserver-secret.go, and we started setting this in db65ea2 (modules/tls: modularize TLS provisioning, 2017-09-13, coreos/tectonic-installer#1811). But we have been using the kube-ca value for it since at least 4d636d3 (asset/manifests: bootstrap manifest generation, 2018-08-31, openshift#286) and I see no other OpenShift consumers [1]. [1]: https://github.com/search?q=org%3Aopenshift+oidc-ca.crt&type=Code
7 participants
Currently everything is based off the Kube CA certificate.
This changes it by:
modules/tlssubsystems. This allows swapping in/out user-provided vs. self-signed certificates./cc @aaronlevy @sym3tri Note this PR introduces manifest changes! I distilled those in 40da8e2:
oidc-ca.crtinkube-apiserver-secret.yaml. This can point to the Kube CA in existing clusters.--oidc-ca-filesetting of the API server which previously pointed to the Kube CA and now points to the aboveoidc-ca.crtBRIDGE_DEX_CLIENT_CA_FILEenv variable in the console deployment which points to the grpc client CA certificatetectonic-identity-grpc-client-secret/ca-cert. This secret is already present in existing clusters.ca-certin thetectonic-ca-cert-secretsecret now points to a dedicated ingress CA certificate, currently effectively pointing to the Kube CA in existing clusters. I don't envision a necessary upgrade path here, but added it in this list for completeness.Fixes INST-64