Add default-ingress-cert ConfigMap enhancement #126
Conversation
openshift-ci-robot
added
the
size/L
| has a custom default certificate? | ||
| - If so, should the operator publish the default certificate itself to | ||
| `router-ca`? | ||
| - If the operator publishes custom default certificates to `router-ca`, |
There was a problem hiding this comment.
This bullet point seems to summarize the need for a single well-known reference point for components to collect the relevant cert(s) that allow them to communicate with other components on the cluster.
I'm very interested in how these questions are answered. If for some reason a bundle of all relevant certs should not be published, I'd definitely like to see that the alternative is clearly documented.
|
|
||
| ## Summary | ||
|
|
||
| The ingress operator publishes a `router-ca` configmap in the |
There was a problem hiding this comment.
This is what it does now, correct? Not a summary of what will be added?
There was a problem hiding this comment.
Correct. This describes the current behavior.
|
|
||
| ### Goal | ||
|
|
||
| Publish the ingress operator's signing certificate, if used, in a well-known |
There was a problem hiding this comment.
Also, if custom default certs are used, publish those?
|
|
||
| Publishing the ingress operator's signing certificate does not help | ||
| if the administrator configures a custom default certificate. | ||
|
|
There was a problem hiding this comment.
Though we do need a path forward for this case as well.
|
Interesting. Would be curious to know why we would want different approaches. Namely, why In practice, we have to add a Could the approaches be unified? |
|
Also, is there ever a case where a custom CA is used without proxy? |
Miciah
force-pushed
the
router-ca-configmap
branch
from
ae26a08 to
81be130
Compare
Good idea. The |
|
Latest push adds the suggestion to inject the ingress CA into specifically labeled configmaps à la proxy config. |
|
That sounds great, like the consistency, like dropping the |
|
|
||
| ### Inject the Ingress CA into ConfigMaps with a Well Known Label | ||
|
|
||
| Instead of or in addition to publishing the `router-ca` ConfigMap, the ingress |
There was a problem hiding this comment.
This sounds good to me. Since it is inject-ingress-cabundl instead of inject-default-cabundle, will we be able to assume that we can simply use it? As a consumer, we don't have to care if it is default or custom?
|
I've commented mostly on UX/correct usage path, lets definitely ensure security issues are documented here as well. |
|
Going to cross reference this openshift/cluster-ingress-operator#331 |
|
|
||
| Instead of or in addition to publishing the `router-ca` ConfigMap, the ingress | ||
| operator could inject the ingress CA into all ConfigMaps with a specific label, | ||
| for example `config.openshift.io/inject-ingress-cabundle: "true"`. This approach |
There was a problem hiding this comment.
Instead of having the ingress operator inject the ingress ca cert, why not have the existing trust bundle publishing controller handle this? The controller can be expanded to watch for the router-ca configmap, add the cert to the cluster-wide trusted ca bundle configmap and have the combined bundle injected into components. Most of this workflow is already implemented and this approach would allow a single operator to manage cluster-wide trust bundle publishing and injection. All components that rely on routes to verify access, should already be setup for the trust bundle injection so no additional changes should be required.
There was a problem hiding this comment.
I like the idea of re-using an existing controller. However, we would still need a distinct annotation because components that need to trust the proxy CA may not need to trust router-ca, and we must maintain separation of chains of trust.
There was a problem hiding this comment.
ack, I get your point and agree. I did a review of the the ingress operator cert code and I see the router-ca configmap is only created when it's the self generated cert (i.e. no ingress controllers define defaultCertificate). Why does the ingress operator publish the self generated cert and not user-defined certs?
There was a problem hiding this comment.
The operator publishes the CA that it uses to sign operator-generated default certificates. If a custom default certificate is provided, we have the certificate but not the signing CA for that certificate (unless the administrator happens to include the CA in the default certificate secret, which we cannot assume to be the case). What @deads2k has proposed is to publish the custom default certificate itself as if it were the CA, which is technically wrong but will work for Go-based clients.
|
How does this enhancement relate to https://github.com/openshift/enhancements/pull/115/files? It may be a good idea to reference this enhancement and how the two relate. |
Miciah
force-pushed
the
router-ca-configmap
branch
from
81be130 to
78d64f8
Compare
Miciah
force-pushed
the
router-ca-configmap
branch
from
78d64f8 to
0e0d6ad
Compare
I think the enhancements are not directly related. #126 concerns documenting and modifying how the ingress operator communicates with other components about certificates that the administrator can already configure through an established API whereas #115 concerns a new API for administrators to configure certificates and explicitly does not concern how components communicates with each other:
|
|
openshift/cluster-ingress-operator#331 to add |
Miciah
changed the title
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ironcladlou, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
6 participants
No description provided.