WIP: Add certificate-authority injection #472
Conversation
This allows you to connect your cluster to external services whose X.509 certificates are signed by a certificate authority that doesn't belong to the OSes list of certificate authorities. For example, it allows you to use a local registry with a self-signed certificate. While this might seem like a use-case for a custom root CA: * We don't currently install the root CA for general use on the bootstrap node, so the bootstrap node would still have trouble pulling images from a local registry with a nonstandard CA. * The root CA for the cluster and the CA for a local registry are really completely independent. I don't want to make a caller have to provide a complete set of custom certs and keys for all of our cluster-specific roles if all they need to do is authenticate a local registry. The commit is a work in progress, because: * This may be something of a niche use-case, I don't really know. If it is, it may not belong in the install-config. I guess users could edit generated ignition files and inject these directly once openshift#374 lands. Or they could edit the generated install config to inject these there. However this shakes out, the environment variable I'm using here is almost certainly not going to be the final UI. * I'm currently ignoring `installConfig.Machines[*].CertificateAuthorities` while I play around with mirroring [1]. If it works out, I'll go over this again and clean up the `pointerIgnitionConfig` API to allow for selecting the appropriate `installConfig.Machines` entry. [1]: https://github.com/wking/openshift-installer/blob/mirror-docs/docs/user/local-mirror.md
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
size/M
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
Hmm, the
So installing a new system cert where CRI-O will find it will probably need custom scripting. Or maybe we can set |
|
@wking that's correct. Everything in the |
|
@openshift/sig-security |
The ansible installer's openshift_additional_ca option did this, so we should definitely keep the ability to add extra CAs on install time. But we should take care that the additional CAs do not get confused with the root CA that corresponds with the root signing key, and that when we get around to doing rotation of the root CA we can keep the added ones available. |
| Machines []MachinePool `json:"machines"` | ||
|
|
||
| // DefaultCertificateAuthorities is the default slice of additional | ||
| // PEM-encoded certificated to add to machines (in addition to the |
|
@wking is this abandoned? Can I carry this across the finish line? |
I still want this, it just seems like low priority to support faster, mostly-offline libvirt registries for devs. If you want to pick it up and get cert injection working, that's fine with me. Otherwise, I hope to get back to this next week. |
openshift-bot
added
the
needs-rebase
|
@wking: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@wking I'm going to close this for now. We can reopen once one of us have time to take another crack. /close |
|
@crawford: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
This allows you to connect your cluster to external services whose X.509 certificates are signed by a certificate authority that doesn't belong to the OSes list of certificate authorities. For example, it allows you to use a local registry with a self-signed certificate.
While this might seem like a use-case for a custom root CA:
We don't currently install the root CA for general use on the bootstrap node, so the bootstrap node would still have trouble pulling images from a local registry with a nonstandard CA.
The root CA for the cluster and the CA for a local registry are really completely independent. I don't want to make a caller have to provide a complete set of custom certs and keys for all of our cluster-specific roles if all they need to do is authenticate a local registry.
The commit is a work in progress, because:
This may be something of a niche use-case, I don't really know. If it is, it may not belong in the install-config. I guess users could edit generated ignition files and inject these directly once pkg/asset: Introduce Load() into the Asset interface that loads assets (from disk) #374 lands. Or they could edit the generated install config to inject these there. However this shakes out, the environment variable I'm using here is almost certainly not going to be the final UI.
I'm currently ignoring
installConfig.Machines[*].CertificateAuthoritieswhile I play around with mirroring. If it works out, I'll go over this again and clean up thepointerIgnitionConfigAPI to allow for selecting the appropriateinstallConfig.Machinesentry.