Skip to content
This repository was archived by the owner on Feb 5, 2020. It is now read-only.

modules/tls: modularize TLS provisioning #1910

Merged
alexsomesan merged 2 commits into from
Sep 14, 2017
Merged

modules/tls: modularize TLS provisioning #1910

alexsomesan merged 2 commits into from
Sep 14, 2017

Conversation

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Sep 14, 2017

Currently everything is based off the Kube CA certificate.

This changes it by:

  1. Modularization of TLS bootstrapping into separate modules/tls subsystems. This allows swapping in/out user-provided vs. self-signed certificates.
  2. Configuring a dedicated Dex client CA in Tectonic console pointing to the identity grpc client CA.
  3. Configuring a dedicated OIDC CA (pointing currently to the ingress CA) certificate for the API server.
  4. Configuring a dedicated ingress CA certificate for the Tectonic console.
modules/tls/
├── etcd (self-signed or user-provided)
├── identity
│   └── self-signed
├── ingress
│   ├── self-signed
│   └── user-provided
└── kube
    └── self-signed
  1. Added oidc-ca.crt in kube-apiserver-secret.yaml. This can point to the Kube CA in existing clusters.
  2. Changed --oidc-ca-file setting of the API server which previously pointed to the Kube CA and now points to the above oidc-ca.crt
  3. Added the BRIDGE_DEX_CLIENT_CA_FILE env variable in the console deployment which points to the grpc client CA certificate tectonic-identity-grpc-client-secret/ca-cert. This secret is already present in existing clusters.
  4. The ca-cert in the tectonic-ca-cert-secret secret now points to a dedicated ingress CA certificate, currently effectively pointing to the Kube CA in existing clusters. I don't envision a necessary upgrade path here, but added it in this list for completeness.

Fixes INST-64

Re-opened and rebased version of #1811

alexsomesan
alexsomesan previously approved these changes Sep 14, 2017
View reviewed changes
Copy link
Contributor

@alexsomesan alexsomesan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sergiusz Urbaniak added 2 commits September 14, 2017 16:06
modules/tls: initial commit
290e16b 
This adds a new modules under `modules/tls/*` which is necessary for swappable TLS certificates.
modules/bootkube modules/tectonic: configure ingress certificate
6dcc47f 
Currently everything is based off the Kube CA certificate.

This changes it by:
1. Configuring a dedicated Dex client CA in Tectonic console pointing to the identity grpc client CA.
2. Configuring a dedicated OIDC CA certificate for the API server.
3. Configuring a dedicated ingress CA certificate for the Tectonic console.

This will allow to specify separate CA certificates.
@alexsomesan alexsomesan merged commit d38ebc9 into coreos:master Sep 14, 2017
@kyoto kyoto mentioned this pull request Sep 15, 2017
Merged
nreisbeck pushed a commit to nreisbeck/tectonic-installer that referenced this pull request Oct 19, 2017
refactor to account for coreos#1910 tls being broken out into module
0f02202
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@alexsomesan alexsomesan alexsomesan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

run-smoke-tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@s-urbaniak @alexsomesan