-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/asset/tls: self-sign kube-ca #1179
Conversation
|
/unassign @russellb |
/retest |
I've rebased this and changed to tackling self-signing one CA at a time, first the kube-ca.
The current problem that I am trying to debug is that now the network-operator can't verify the api server cert, even though the kubeconfig that it is mounting now contains the kube-ca (although it is passed in as a --url-only-kubeconfig so that suggests it may not be using the CA data from it).
@squeed where does the network-operator source its CA data from for the API connection? |
@mrogers950 the network operator uses the default "in-cluster" config + CA. It only pulls the apiserver URL from the kubelet's kubeconfig. |
Retesting after openshift/cluster-kube-controller-manager-operator#152 |
@mrogers950 alright, you're getting installed now. Looks like something isn't happy though. |
Retesting for a debugging run |
The cluster comes up and no crashlooping pods. The test failures are all with the use of e2e.RunHostCmd(), |
/retest |
3 similar comments
/retest |
/retest |
/retest |
@mrogers950: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
@abhinavdahiya tests are green, PTAL |
The only CA i see is the kubeCA getting self signed, what about the others ? can you include more details to commits based on https://github.com/openshift/installer/blob/master/CONTRIBUTING.md#commit-message-format /kind bug /cc @crawford |
Detach kube-ca from the root-ca chain in order to make it a proper independent chain of trust, and ensure compatibility with non-golang TLS clients that need to trust kube-ca. Part of https://jira.coreos.com/browse/CORS-999
A self-signed CA must not be included in a server certificate bundle.
Admin now requires the kube-ca CA data, not root CA.
The kubelet kubeconfig now requires kube-ca CA data, not root CA.
@abhinavdahiya I had reduced the scope of this PR to take care of only kube-ca (the others will follow) and updated the text accordingly. |
/approve
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, mrogers950 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Through 820ff4c (Merge pull request openshift#1179 from mrogers950/ca_roots, 2019-02-19).
Through 820ff4c (Merge pull request openshift#1179 from mrogers950/ca_roots, 2019-02-19).
Through 820ff4c (Merge pull request openshift#1179 from mrogers950/ca_roots, 2019-02-19).
Through 820ff4c (Merge pull request openshift#1179 from mrogers950/ca_roots, 2019-02-19).
This PR turns the kube-ca into a self-signed CA rather than intermediate from the root CA. Detaching it from the root CA trust chain gives us a proper separation of the trust domain while making it possible to accommodate non-golang clients without compromising the intended trust separation.