Support ExtendedSecret certs signed by the Kube API Server #484
Conversation
|
✅ Hey edwardstudy! The commit authors and yourself have already signed the CLA. |
edwardstudy
force-pushed
the
ed/csr
branch
4 times, most recently
from
c19b097
to
89f93ac
Compare
| return reconcile.Result{}, nil | ||
| } | ||
|
|
||
| err = r.approveRequest(ctx, instance.Name) |
There was a problem hiding this comment.
I think this should better go into an else branch.
There was a problem hiding this comment.
And couldn't we pass the object directly instead of its name to get rid of another get request?
There was a problem hiding this comment.
Oh, it's helpful for reducing update conflicts.
And r.client could not update subresource approval. we have to use client-go.client to update CSR approval directly:
kubernetes-sigs/controller-runtime#172
pkg/kube/util/names/names.go
Outdated
| @@ -180,6 +180,11 @@ func OrdinalFromPodName(name string) int { | |||
| return podOrdinal | |||
| } | |||
|
|
|||
| // PrivateKeySecretName returns a Secret name for a given ExtendedSecret | |||
| func PrivateKeySecretName(extendedSecretName string) string { | |||
There was a problem hiding this comment.
Could we make this name a bit more precise, i.e. CsrPrivateKeySecretName?
| } | ||
|
|
||
| if len(instance.Status.Certificate) != 0 { | ||
| annotations := instance.GetAnnotations() |
There was a problem hiding this comment.
I'm just wondering, why do we need these annotations? Couldn't we get the secret name and namespace from the owner object (ExtendedSecret)?
There was a problem hiding this comment.
The truth is that:
- CSR is no-namespaced
- the owner and owned object are both namespace-scoped and assumed in the same namespace
kubernetes-sigs/controller-runtime#214 (comment)
So getting the owner's namespace from CSR could not get right namespace.
My idea is to set the owner's namespace to annotations.
pkg/kube/controllers/extendedsecret/certificatesigningrequest_reconciler.go
Show resolved
Hide resolved
| @@ -124,6 +127,7 @@ func (r *ReconcileExtendedSecret) Reconcile(request reconcile.Request) (reconcil | |||
| func (r *ReconcileExtendedSecret) updateExSecret(ctx context.Context, instance *esv1.ExtendedSecret) error { | |||
| obj := instance.DeepCopy() | |||
| op, err := controllerutil.CreateOrUpdate(ctx, r.client, obj, func() error { | |||
| obj.Spec = instance.Spec | |||
There was a problem hiding this comment.
Why is this change needed?
There was a problem hiding this comment.
It's helpful to update default spec.request.signerType if it's certificate.
There was a problem hiding this comment.
refactored CreateOrUpdate mutateFn. As I said, empty spec.request.signerType would be populated as local.
edwardstudy
force-pushed
the
ed/csr
branch
3 times, most recently
from
428648d
to
d0a3e92
Compare
| - '*.foo.com' | ||
| commonName: routerSSL | ||
| isCA: false | ||
| signerType: external |
There was a problem hiding this comment.
This looks like it's not using the API server to sign
There was a problem hiding this comment.
Removed CA infos. Sorry for misleading example.
edwardstudy
force-pushed
the
ed/csr
branch
10 times, most recently
from
281839a
to
fdada63
Compare
|
cf-operator can consume following CR and create cert signed by API server now: |
#167555390
Verification steps: