-
Notifications
You must be signed in to change notification settings - Fork 35
Support ExtendedSecret certs signed by the Kube API Server #484
Conversation
✅ Hey edwardstudy! The commit authors and yourself have already signed the CLA. |
c19b097
to
89f93ac
Compare
return reconcile.Result{}, nil | ||
} | ||
|
||
err = r.approveRequest(ctx, instance.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should better go into an else
branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And couldn't we pass the object directly instead of its name to get rid of another get request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, it's helpful for reducing update conflicts.
And r.client
could not update subresource approval
. we have to use client-go.client
to update CSR approval directly:
kubernetes-sigs/controller-runtime#172
pkg/kube/util/names/names.go
Outdated
@@ -180,6 +180,11 @@ func OrdinalFromPodName(name string) int { | |||
return podOrdinal | |||
} | |||
|
|||
// PrivateKeySecretName returns a Secret name for a given ExtendedSecret | |||
func PrivateKeySecretName(extendedSecretName string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we make this name a bit more precise, i.e. CsrPrivateKeySecretName
?
} | ||
|
||
if len(instance.Status.Certificate) != 0 { | ||
annotations := instance.GetAnnotations() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just wondering, why do we need these annotations? Couldn't we get the secret name and namespace from the owner object (ExtendedSecret)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The truth is that:
- CSR is no-namespaced
- the owner and owned object are both namespace-scoped and assumed in the same namespace
kubernetes-sigs/controller-runtime#214 (comment)
So getting the owner's namespace from CSR could not get right namespace.
My idea is to set the owner's namespace to annotations.
pkg/kube/controllers/extendedsecret/certificatesigningrequest_reconciler.go
Show resolved
Hide resolved
@@ -124,6 +127,7 @@ func (r *ReconcileExtendedSecret) Reconcile(request reconcile.Request) (reconcil | |||
func (r *ReconcileExtendedSecret) updateExSecret(ctx context.Context, instance *esv1.ExtendedSecret) error { | |||
obj := instance.DeepCopy() | |||
op, err := controllerutil.CreateOrUpdate(ctx, r.client, obj, func() error { | |||
obj.Spec = instance.Spec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this change needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's helpful to update default spec.request.signerType
if it's certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored CreateOrUpdate mutateFn. As I said, empty spec.request.signerType
would be populated as local
.
428648d
to
d0a3e92
Compare
- '*.foo.com' | ||
commonName: routerSSL | ||
isCA: false | ||
signerType: external |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it's not using the API server to sign
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed CA infos. Sorry for misleading example.
281839a
to
fdada63
Compare
cf-operator can consume following CR and create cert signed by API server now:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm besides the test expectation change
#167555390
Verification steps: