Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Front proxy ca private key has to be shared accross all nodes #752

Closed
yanndegat opened this issue Apr 13, 2018 · 3 comments · Fixed by kubernetes/kubernetes#62643
Closed

Front proxy ca private key has to be shared accross all nodes #752

yanndegat opened this issue Apr 13, 2018 · 3 comments · Fixed by kubernetes/kubernetes#62643
Assignees
@xiangpengzhao
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Milestone
v1.11

Comments

@yanndegat
Copy link

FEATURE REQUEST

You can externalize the CA and delegate tls cert management to a third party
But actually, you can't do it with the front proxy ca as kubeadm requires
the private key to be installed on all master nodes.
see:

https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/phases/certs/certs.go#L639

Versions

kubeadm version (use kubeadm version):
1.10.0

What you expected

That the front ca key is not required as the front proxy client tls keypair can be managed by the third party.
@timothysc
Copy link
Member

/cc @stealthybox @fabriziopandini

@timothysc timothysc added kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Apr 13, 2018
@stealthybox
Copy link
Member

/area security
/sig cluster-lifecycle

@k8s-ci-robot k8s-ci-robot added area/security sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. labels Apr 13, 2018
@xiangpengzhao xiangpengzhao mentioned this issue Apr 16, 2018
Merged
@xiangpengzhao
Copy link

Sent a PR kubernetes/kubernetes#62643 to fix this.

@timothysc timothysc added this to the v1.11 milestone Apr 16, 2018
@timothysc timothysc added lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. and removed help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Apr 16, 2018
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Apr 19, 2018
Merge pull request #62643 from xiangpengzhao/fix-front-proxy
0c58c5e 
Automatic merge from submit-queue (batch tested with PRs 62481, 62643, 61877, 62515). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Not validating front proxy CA Key when using External CA.

**What this PR does / why we need it**:
"That the front ca key is not required as the front proxy client tls keypair can be managed by the third party." This PR don't validate the front CA Key but check if it already exists.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes kubernetes/kubeadm#752

**Special notes for your reviewer**:
@yanndegat @timothysc @stealthybox @fabriziopandini 

**Release note**:

```release-note
NONE
```
@seh seh mentioned this issue May 14, 2018
Closed
@seh seh mentioned this issue Jun 14, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xiangpengzhao xiangpengzhao

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Milestone
v1.11
Development

Successfully merging a pull request may close this issue.

Not validating front proxy CA Key when using External CA. xiangpengzhao/kubernetes
5 participants
@timothysc @stealthybox @xiangpengzhao @yanndegat @k8s-ci-robot