-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Certificate support for image registry #956
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
9b67afd
to
d5af748
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #956 +/- ##
==========================================
- Coverage 80.14% 79.07% -1.07%
==========================================
Files 16 16
Lines 1103 1152 +49
==========================================
+ Hits 884 911 +27
- Misses 152 169 +17
- Partials 67 72 +5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
// Name of the secret | ||
Name string `json:"name"` | ||
// Namespace of the secret | ||
Namespace string `json:"namespace,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we allow for specification of the namespace here? I'm wondering if using the install namespace as a point where all other resources referenced should exist is more reasonable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The secret is associated with the image registry, not the installation of the bundle itself. This secret is independent of the installation namespace. If we do not allow specifying the namespace, it would possibly require copying the secret to various namespaces, which then causes issues when the secret (which is a TLS certificate) needs to be updated.
Also, the service account for installation does need access to the secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The secret is associated with the image registry
I think my comment about cert configuration being on ClusterExtension
is relevant to this discussion: #956 (comment)
TLDR: I think we should not ask users to specify certs on every installation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear, it's not required on every installation.
If the docker-registry's certificate is signed by a system CA, this option is not required. This requires additional setup (i.e. cert-manager/trust-manager/deployment updates).
Also, if the docker-registry is public, and uses a certificate signed by a "public CA", then this option is not necessary.
If the operator-controller's deployment includes mounted certificates for the system CAs, then those will be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear, it's not required on every installation.
You are right. But it is required on every installation if you use a registry with self-signed certs (like we do in our own tests: see addCertToSpec
in this PR). I would expect it to be quite a common pattern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would actually expect it to be an exception, not a rule. The operator-controller deployment can be modified to include CAs used by the cluster.
// Name of the secret | ||
Name string `json:"name"` | ||
// Namespace of the secret | ||
Namespace string `json:"namespace,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we force this to be the install namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually disagree, the registry and it's secret are likely in a separate namespace from the installation namespace.
|
||
//+optional | ||
// RegistryTLS defines the connection parameters to retrieve an image from a registry | ||
RegistryTLS *ClusterExtensionTLS `json:"registryTLS,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like it does not belong in ClusterExtension
. At least in the use case when we install packages from a catalog it feels like specifying this every time we create a ClusterExtension
is excessive.
We need to think about UX for the following use cases:
- We install extensions from a catalog. I think in this case we probably don't want users to specify certs in
ClusterExtension
every time they install something from a catalog. Feels like some configuration should be done onClusterCatalog
level once and re-used. - We install something directly (like future support for direct helm installation).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this was the intent. This is the certificate used to verify the connection to the image-registry from which we get the bundle. The certificate can't be part of the catalog, as it may expire, and it could be an external repository or other location as you point out.
HOWEVER, this is optional, as the operator-controller will load the system certificates, and if the image registry's certificate is signed by a system certificate, then it's not necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more I think about this - the more I think we should not have this on ClusterExtension
. Another reason - we do not specify specific catalog in ClusterExtension
. If on ClusterExtension
you say you want to install argocd-operator
- it can come from any catalog installed on the cluster: it might come from a catalog which uses an image registry where certs are issued by a public CA, but it might also come from a catalog which uses an image registry with a self-signed cert. We don't know on the ClusterExtension
level.
I can totally see that some users are not going to know what to specific in registryTLS
because they don't know how argocd-operator
will resolve.
This is the certificate used to verify the connection to the image-registry from which we get the bundle.
I understand that. But whoever configures ClusterCatalog
probably knows better about what image registries the catalog uses. So they can provide a ref to a relevant CA on ClusterCatalog
level.
The certificate can't be part of the catalog, as it may expire, and it could be an external repository or other location as you point out.
Not sure that I'm following this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the certificate is part of the catalog metadata, it could easily become stale - especially if a separate image-registry is used. And as you point out, the argocd could come from any catalog, and subsequently any docker-registry.
Again, this is optional, and is intended for those specific docker-registries which may be private (e.g. our e2e docker-registries) or for which don't use a system certificate.
This should really be considered an exception, not the rule.
@joelanford, I believe it was your idea to add a certificate to the ClusterExtension, do you have an additional response?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the certificate is part of the catalog metadata
I'm not suggesting to put a certificate into catalog metadata. I'm suggesting to potentially do what you did for ClusterExtension
, but for catalogd
's ClusterCatalog
API instead.
My idea is that people using ClusterExtension
should not be forced to specify CA every time they install something on a cluster where self-signed certs are used. The cluster admins should be able to specify refs to secrets containing required CAs once (when adding a catalog to their cluster) and ClusterExtension
API can remain the same.
What I suggest might also not be the right approach, but it is clear to me that we as a group need to spend some more time on the design for this.
This should really be considered an exception, not the rule.
If we provide this API - we and our users will be stuck with it for long time. We will have to support it and users will be forced to use it.
I agree with you - it won't affect people who use image registry with certs signed by public CAs. But it will result in a terrible user experience for people who install something on a cluster with self-signed certs. For them I see at least the following UX issues:
- They will have to specify
registryTLS
for everyClusterExtension
. - It is not clear what CA to specify on
ClusterExtension
. You have to know in advance how your package & version are going to resolve (is it going to use a registry with self-signed certs?). I think it is going to be more of a pain if people usingClusterExtension
are not the same people configuring catalogs on the cluster.
IMO - we should either not support this use case at all or design so that we provide nice UX for all the use cases.
Let me know if you want to discuss this on a call. We should probably invite @joelanford as the author of the original idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I spoke with Joe Tuesday night and we are going to abandon the addition to the API for now and re-evaluate it later. This PR will still remove the annotations and fix the e2e to properly use certificates (and not use InsecureSkipTLSVerify
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good!
This PR will still remove the annotations and fix the e2e to properly use certificates
Could you please create a new PR for this instead? This one has quite a lot comments about the original registryTLS
implementation. I think it will be easier to review in a fresh PR.
Updates the ClusterExtension API to support a certificate to retreive a bundle from an image registry. Signed-off-by: Todd Short <tshort@redhat.com>
85728aa
to
858efe0
Compare
Signed-off-by: Todd Short <tshort@redhat.com>
See #960 for a different approach |
Updates the ClusterExtension API to support a certificate to retreive a bundle from an image registry.
Fixes #921
Description
Reviewer Checklist