Support using Kubernetes CA for certificates #1465
Comments
F21
changed the title
|
There is already a design for dynamic TLS: https://github.com/coreos/etcd-operator/blob/master/doc/design/cluster_tls.md Note that it is been a while and a bit outdated. We can base off the original design and make use of k8s CSR API to implement dynamic TLS |
|
Auto-approval only works if the user that's requesting the CSR is in the client: https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/certificates/approver/sarapprove.go#L189-L191 So I'm not sure this can work right now unless you write another CSR approver controller |
|
Yes. I understand auto-approval only works for node TLS bootstrap now. But this is very generic and in long term should be able to extend to auto-approve other groups too. In short term, manual approval or custom auto-approval worker should be better choice. Does that make sense? If so let's create a feature request on that :) |
|
@hongchaodeng Creating a custom approval controller is a lot of work, wouldn't it just be simpler as a first step to generate a CA for etcd and provide it in the EtcdCluster spec? That would allow dynamic TLS, since you're generating certs for each etcd pod as it's being created. |
That's duplicating the work by k8s CSR API. And what this issue is created for and what we all wanted from this issue is to make use of that API. |
|
@hongchaodeng Okay. Should a custom controller that approves etcd CSRs be added to this codebase? |
Yeah. As long as it solves user issues and provides value, we would like to host and maintain it. |
Since Kubernetes 1.7, it is possible to ask Kubernetes to sign certificates for us.
It would be nice if the operator can support the case where it automatically generates certificates, ask Kubernetes to sign them, automatically approve the certificate and use them in the deployed etcd clusters.
This would allow the following:
The text was updated successfully, but these errors were encountered: