Comments (6)
so for CRDs there is a field in the CRD definition to define a webhook that is responsible for converting CRDs of the same type but different versions. That is currently the only use of a CA injector for CRD. In other words th CA inject at the moment cover three very specific use cases and it's not general purpose. however, if you are using OCP 4.x there is a generic CA injector operator. Maybe that will cover your use case. It will only inject PEM-based CA bundles though.
from cert-utils-operator.
Thanks for the clarification.
The OCP 4.x CA Injector operator's ConfigMapCAInjector (https://github.com/openshift/service-ca-operator/tree/master/pkg/controller/configmapcainjector) does not appear to provide comparable functionality to that offered by this CA Injector for Kubernetes Webhook resources. In light of that fact, would you consider expanding the scope of the cert-utils-operator CA Injector to include ConfigMaps in addition to Webhooks? In this case, the presence of the CA Injector annotation on a ConfigMap would cause the addition or update of a data item with key "ca.crt" or "ca-bundle.crt" or "service-ca.crt" to the ConfigMap.
In order to support the common use case where one-way SSL is used w/some other form of authentication, a.k.a use of the secure lib-bucket-provisioner described above, consider adding CA Injector support for kubernetes.io/tls
Secret resources as well. Here, the annotation would cause the data item in the Secret with key "ca.crt" to be updated. If the Secret also had the cert-utils-operator.redhat-cop.io/generate-java-keystores: "true"
annotation, the truststore.jks data item would get updated as well. In this use case, the tls.crt and tls.key data items in the Secret would typically be unset so the cert-utils-operator should tolerate generating a truststore.jks w/out a keystore.jks.
WDYT?
from cert-utils-operator.
I think the feature is well stated and technically feasible. We can add it. To summarize it for the benefit of whomever will help contributing it:
- an injection annotation will be observed on configmaps.
- the ca.crt from the referenced secret will be injected.
- if the secret is annotated to generate a keystore, then the truststore will also be injected.
- a secret from a different namespace can be referenced.
from cert-utils-operator.
One change on the previous design. To favor homogeneity, I think it would be better to inject ca-bundles into secrets as opposed to configmaps. Secrets and configmaps can be used essentially in the same context so this should not limit the usability. So the design becomes the following:
- an injection annotation will be observed on secrets of type
kubernetes.io/tls
. - the ca.crt from the referenced secret will be injected (a secret from a different namespace can be referenced).
If the user wants the ca-bundle to be represented as a truststore, they can annotate the secret with the cert-utils-operator.redhat-cop.io/generate-java-keystores: "true"
annotation. So with this approach there is no need to also inject the truststore.
from cert-utils-operator.
based on prototype in #31, a few things:
- I implemented CA injection for both secrets and configmap
- configmaps cannot contain trustores because configmaps can only contain text objects.
from cert-utils-operator.
close by #31
from cert-utils-operator.
Related Issues (20)
- Possible Issue stemming from null password on keystore
- Problem with certificate in route sinced a changed has been made in cert-manager HOT 12
- Ability to create truststore from Operator controlled Secrets HOT 3
- Unable to stop expiry alert HOT 7
- false alerts HOT 1
- Helm installation is broken
- generating the truststore in an new secret of type Opaque HOT 3
- unable to update route error HOT 3
- ConstraintsNotSatisfiable - V1.3.9 HOT 3
- Missing webhook-server-cert Secret when installed with Helm HOT 1
- Cert-Manager vs. OpenShift Service serving-cert-secret-name Annotation (1.3.9) HOT 6
- ServiceMonitor contains a hard-coded serverName that assumes the operator namespace is cert-utils-operator HOT 22
- Ability to inject openshift-service-ca.crt ConfigMap as route destinationCACertificate
- truststore.jks in ConfigMaps updated on every pod restart HOT 10
- Image is out of date HOT 3
- Problem with high memory consumption on kube-apiserver HOT 2
- Operator logs access token HOT 6
- Dependency Dashboard
- It should be possible to use multiple source-ca-keys to generate a truststore
- regarding storing CA bundle in a secret to populate route certificates in openshift HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-utils-operator.