add internal load balancer cert by deads2k · Pull Request #405 · openshift/cluster-kube-apiserver-operator

deads2k · 2019-04-15T14:05:20Z

Updates us to rotate teh internal load-balancer serving cert and serve with it.

/assign @mfojtik
@sjenning

openshift-ci-robot · 2019-04-15T14:05:41Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mfojtik · 2019-04-15T17:03:06Z

pkg/operator/certrotationcontroller/externalloadbalancer.go

+)
+
+func (c *CertRotationController) syncExternalLoadBalancerHostnames() error {
+	hostnames := sets.NewString()


why is this set if we only use it to insert one item?

mfojtik · 2019-04-15T17:06:08Z

pkg/operator/certrotationcontroller/internalloadbalancer.go

+)
+
+func (c *CertRotationController) syncInternalLoadBalancerHostnames() error {
+	hostnames := sets.NewString()


same question here

openshift-ci-robot · 2019-04-15T17:10:06Z

New changes are detected. LGTM label has been removed.

deads2k · 2019-04-15T17:11:00Z

lgtm'd via slack

deads2k · 2019-04-15T17:46:51Z

terraform

/retest

openshift-ci-robot · 2019-04-15T21:45:27Z

New changes are detected. LGTM label has been removed.

… API The `.status.apiServerURL` [1] states the this value can be used by components like kubelet on machines, to contact the `apisever` using the infrastructure provider rather than the kubernetes networking. Therefore, this will be set to `api-int.$cluster_domain` as that is URL that should be used by the LB consumers of apiserver. currently the external serving cert controller is using this value to generate the certificate, when it should be the one doing the replace magic from [2] and not the internal serving cert controller and which causes wrong certificate generation when we finally switch to `api-int` [3]: ```console $ oc get secrets -n openshift-kube-apiserver external-loadbalancer-serving-certkey -oyaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lJYzJwVFVHSWw3Mmd3RFFZSktvWklodmNOQVFFTEJRQXdOekVTTUJBR0ExVUUKQ3hNSmIzQmxibk5vYVdaME1TRXdId1lEVlFRREV4aHJkV0psTFdGd2FYTmxjblpsY2kxc1lpMXphV2R1WlhJdwpIaGNOTVRrd05ERTNNak0xT0RNeVdoY05NVGt3TlRFM01qTTFPRE16V2pBbk1TVXdJd1lEVlFRREV4eGhjR2t0CmFXNTBMbUZrWVdocGVXRXRNQzUwZEM1MFpYTjBhVzVuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBb293WHNVMW51TWRMSkhneUVWNTZXZmpTSDVCdmpqQ3c4eGJWYTVKNlRPUDhOTWVPaEtuOAowRVF6VDYzTTdQdTFtdlhqVmJ5T1JlcWZhL3Y4ZXJjdzIwS1liUDY3QXoyY2JrUXplUmpuVUVsVC8yU2hYa1E2CkVhS3Y4VGM4dlM3SFRhYkZTZVRmTW5RWHhNT0FOUDRyTW51NmpLUmw3aC90WU5Jck1xZFB3YUJaK0UyOWpBSW0KR0VaSUdCWDJWLy9Vb0hyK05vM2hHL0c1Ykdua3JhaUdUYkhTSjdQcExoNGJFYmFPTWlJWmR3K215WEtvS2ZScQo5SkVKd3llTDNueUNlQVQ1Y0tDa0NGZTR0eDQvcGMweTdQYmtHTmJzMG8yaHpMTkhHdTBNYVgwV2NYZkdObnhvCno4Y1p0S0ZGNjdaT25ZSGRtdGErVStjNWllcHZLTkJzY1FJREFRQUJvMzh3ZlRBT0JnTlZIUThCQWY4RUJBTUMKQmFBd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBVwpnQlNFQ09ZaFdUNDZObTdCOGQ0cHdYbEpQUXpDa3pBbkJnTlZIUkVFSURBZWdoeGhjR2t0YVc1MExtRmtZV2hwCmVXRXRNQzUwZEM1MFpYTjBhVzVuTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCbUVIOXQ5dGZDOXBMSVVXQUUKakE0dHBsZXpLVi9LR0ppZVh1dW5Td0NKU0FiNUcyclBMallVRGRRa0pJeks4cHdtNW1oMys2Vzd3bEo4ZVhWaAptVVJWT1RHNUlKQkkzdk1RT0hwWkt6YjY3a0ZZajVleSs3U2FmNjdKZzJ2L0lxS09QdmpVeU9VcUd6ckFWanI5Cm5FM2g3cVNwQXRYZk50Mk5IOGxuMTVKNFlsN1hhZkd6cGppUVZ2UVdBUHpoSnYxc2ZRVElpc0lSb2FvK2ZCUEcKRmtLcDUxRXRvc0xvbmtYRFZ5UGdzQVR4MW5jU2RvRE94WWhueXJteWEyT0Q2MVlMSDloalpjY2lENzBMdTVnOApFcUhrenhCL1F3S0JzbFdDUkNxYktpWkRVd0UvcWtEMmVST0NiS0hLckVKME8wWEVHVCtNRk1wU1RYcWIyaDA5CjhUV3IKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRE1qQ0NBaHFnQXdJQkFnSUliRHFHUFpCdlk0a3dEUVlKS29aSWh2Y05BUUVMQlFBd056RVNNQkFHQTFVRQpDeE1KYjNCbGJuTm9hV1owTVNFd0h3WURWUVFERXhocmRXSmxMV0Z3YVhObGNuWmxjaTFzWWkxemFXZHVaWEl3CkhoY05NVGt3TkRFM01qTTBPREExV2hjTk1qa3dOREUwTWpNME9EQTFXakEzTVJJd0VBWURWUVFMRXdsdmNHVnUKYzJocFpuUXhJVEFmQmdOVkJBTVRHR3QxWW1VdFlYQnBjMlZ5ZG1WeUxXeGlMWE5wWjI1bGNqQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPL1E0b3hYTjVvYkJ4WEptR3ZuOWkrRWpJRzJWN0RxCnFrTFFqMHU5STdnUDFMV3dEUE4rcUtFRWwzZnJjTGl2d0EvdTd5MlJ2Z0gxcDByRmFEUmhPYnBDWHU0VVN2aUYKLzVJZjl3dzFvMGlDRlNCczFmQm9GMERTNE1kMWc3cnhCVzVlTDlNVllsMGU1QzB0YkNVc3BWamkyNnR5K0dTWgpKNlRYVS9idEErV044STNnOUhQUHRZcnRLVVpycnBCUFpTWDNjZWxIWDlDczRFaDdFdXdrRFR6T2N4VGRsMUdoCjB4U1V5bE9lOU92eVVNVWM3SHpOS29QMGlRZE9scXNwL0ZvNjFwdHBOM0xUS1FCWUU5VUR2SUNFZ1NscXlzWFMKR3I1UzU0cFVMYzdva21LaXVLc0lkK0ZYWDd5STFGQTY1VVFUZDJOc2sweTFJNTF4VGp3LzN3OENBd0VBQWFOQwpNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSVFJCjVpRlpQam8yYnNIeDNpbkJlVWs5RE1LVE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1dSdVpTaURaYjQ4NzcKNmZhVWpvQTg5eld5Rm15L0VodTBURFpSSTFTSElaQjhmM1FINGlMdEhzMU53VGZDcU5XSTNOeFNxQ0Ntdmx6ZAp0ZGppVjdPUkxRZjc3WVVWdU9ZclF2M0RuK2ozcmZ1dCtoSzMyM3hjTDdYbXBpRnRIUXhac2NQZ2JqaUd1dS9XCmdhYlZBOXF3MWUxQit3b25UWlY0YWM1bjJ5N1QxbzdoeWE3WnY5RWJ5RFp3cnJPN2NBSmJjWS9pUDJnM0pnMG4KS0hJT2FVSnRZZjF0RDNCSWhzWVIzL0tQVStLU0lyQ2R3Y0ptbXYyZ1V5eGJLTzlFb2QyU2R0RDRJZEVKVTNobQpFUjhkcmFFK3Y5MzJHVHZYWWYwRUFOdHExam5ycFRxajNIVUFMajVZTm1UdE5DQTVEdHhWa2xaZ0I4RkJpdS9NCitjNmJ3UjJVCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: .... kind: Secret metadata: annotations: auth.openshift.io/certificate-hostnames: api-int.adahiya-0.tt.testing auth.openshift.io/certificate-issuer: kube-apiserver-lb-signer auth.openshift.io/certificate-not-after: 2019-05-17T23:58:33Z auth.openshift.io/certificate-not-before: 2019-04-17T23:58:32Z creationTimestamp: 2019-04-17T23:58:37Z labels: auth.openshift.io/managed-certificate-type: target name: external-loadbalancer-serving-certkey namespace: openshift-kube-apiserver resourceVersion: "2560" selfLink: /api/v1/namespaces/openshift-kube-apiserver/secrets/external-loadbalancer-serving-certkey uid: b783479c-616c-11e9-8bba-52fdfc072182 type: kubernetes.io/tls $ xclip -sel c -o | base64 -d | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 8316551266602184552 (0x736a53506225ef68) Signature Algorithm: sha256WithRSAEncryption Issuer: OU = openshift, CN = kube-apiserver-lb-signer Validity Not Before: Apr 17 23:58:32 2019 GMT Not After : May 17 23:58:33 2019 GMT Subject: CN = api-int.adahiya-0.tt.testing X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:84:08:E6:21:59:3E:3A:36:6E:C1:F1:DE:29:C1:79:49:3D:0C:C2:93 X509v3 Subject Alternative Name: DNS:api-int.adahiya-0.tt.testing ``` This commit moves the replace magic [2] from internal to external serving cert controller. [1]: https://github.com/openshift/api/blob/13b403bfb6ce84ddc053bd3b401b5d67bf175efa/config/v1/types_infrastructure.go#L55-L58 [2]: openshift#405 [3]: openshift/installer#1633

openshift-ci-robot assigned mfojtik Apr 15, 2019

openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 15, 2019

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 15, 2019

openshift-ci-robot requested review from mfojtik and sttts April 15, 2019 14:05

mfojtik reviewed Apr 15, 2019

View reviewed changes

deads2k force-pushed the api-int branch from 5ab42dd to 4d5b27c Compare April 15, 2019 17:09

deads2k added the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2019

openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2019

deads2k added the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2019

add internal load balancer cert

c71fe4a

deads2k force-pushed the api-int branch from 4d5b27c to c71fe4a Compare April 15, 2019 21:45

openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2019

deads2k added the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2019

openshift-merge-robot merged commit 2b10479 into openshift:master Apr 15, 2019

abhinavdahiya mentioned this pull request Apr 18, 2019

certoperator: fix incorrect use of infrastructure.config.openshift.io API #419

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add internal load balancer cert#405

add internal load balancer cert#405
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
deads2k:api-int

deads2k commented Apr 15, 2019

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

mfojtik Apr 15, 2019

Uh oh!

mfojtik Apr 15, 2019

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

deads2k commented Apr 15, 2019

Uh oh!

deads2k commented Apr 15, 2019

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

deads2k commented Apr 15, 2019

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

mfojtik Apr 15, 2019

Choose a reason for hiding this comment

Uh oh!

mfojtik Apr 15, 2019

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

deads2k commented Apr 15, 2019

Uh oh!

deads2k commented Apr 15, 2019

Uh oh!

openshift-ci-robot commented Apr 15, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants