Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue certifcates for etcd-operator #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Issue certifcates for etcd-operator #9

wants to merge 1 commit into from

Conversation

ArkaSaha30
Copy link

This PR will add a basic capability to issue self-signed certificates for etcd-operator.

  • Prerequisite: cert-manager needs to be installed before deploying the etcd-operator
    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml

  • Once etcd-operator is deployed it requests 3 certificates from an issuer in the etcd-operator-system namespace

    • peer certificate
    • client certificate
    • server certificate
deployment.apps/etcd-operator-controller-manager created
certificate.cert-manager.io/etcd-operator-etcd-client-certificate created
certificate.cert-manager.io/etcd-operator-etcd-peer-certificate created
certificate.cert-manager.io/etcd-operator-etcd-server-certificate created
issuer.cert-manager.io/etcd-operator-selfsigned created

etcd-operator on  issue-cert via 🐳 colima via 🐹 v1.22.7 on ☁️  (us-east-1) on ☁️  [email protected] 
❯ kubectl get secrets -n etcd-operator-system
NAME              TYPE                DATA   AGE
etcd-client-tls   kubernetes.io/tls   3      33s
etcd-peer-tls     kubernetes.io/tls   3      33s
etcd-server-tls   kubernetes.io/tls   3      34s

etcd-operator on  issue-cert via 🐳 colima via 🐹 v1.22.7 on ☁️  (us-east-1) on ☁️  [email protected] 
❯ kubectl -n etcd-operator-system get secret etcd-client-tls -o yaml | grep ca.crt
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMxRENDQWJ5Z0F3SUJBZ0lSQU41cTB2b2tNREsrT3haankvQmZMcE13RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlOREV5TURZeE1USXpNalJhRncweU5UQXpNRFl4TVRJek1qUmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDVHFVcjZNdnJXLzRYSjJna0Y4cWhhMnFWSnl1L1ozcmhuNENKCkZjQUdPOUlCUmxmbGpiajUvbU5iMW5SUkFJOXNraCtFdWlYd2Y1SFVQbTBNcGpnM3Y0MlRUbzd4MkIyTHloZmUKcDFrQVdBVlFPallOeFZHZjk1ZEFzK3U5MW5Xbi8zM2hHajlodlFTallJT1pORllFOS9xSHJQTlk3SEs4RFRCWQp4ZjZEaVIxSlFUZ1Jmc1FvRkpoZDRCMVhUeDV4eGlMdi85NzRLcmZDbmgrckMyeVVzZWRCMHlEaGlVTm9LVlM3CnU3RUdETC9SOFZUalJGWnphWEM4YXl6OUY1eTlwL1pmbjIzMElrOThqdVBzL0VURUZYUXBuUFFDaGFOTU9JaE0KcEs0ZWIvSWw3ek5lV3p0bnFvUjFJUSttYW1zTWd6bmk0RS9PMGxHbEYxekluMTBwQWdNQkFBR2pTVEJITUE0RwpBMVVkRHdFQi93UUVBd0lGb0RBTUJnTlZIUk1CQWY4RUFqQUFNQ2NHQTFVZEVRRUIvd1FkTUJ1Q0dXVjBZMlF1ClpYUmpaQzF2Y0dWeVlYUnZjaTF6ZVhOMFpXMHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlhhbGJiR1VIbUwKbURCK0piK3pMTzlYT2ZwR21JMGhZRmdPakVtZmxqem4wa0ZRRHo0YmQyc1FlVi95U1BIZC84RXN2Y0NlME1ucwpaRXF1ejNTWUp5cmg2a2g0MjhqVTJPRGI2MXBUMmwreTUvdkU4bi8yVzgxTERYQzlOUnZNYkR2MmlYOVpORFhuCnZndVhnOUJPUXByd3craXlBUVFHdFk4NWYvc2pOdVZnQW8vU1ZQR2RHVUFWME5RbllSNFN1ZmpwOTh5aS9EK1IKRGM5WDNiSUtYVDNNWmcyKzcyU0JYV3YzSjVBZEFyU3lnVlRMUWVqdk5LZzIvbDMyUkN2cFgzR01jYk1IbFBOQgp3NUpkSmU5QWc2QS9mdTZJS1lDREowUlRlQVkwcDlCaEgvUmFncmhsZkdvcVA4U3V5YjZXbjhoekNLT3FPZDVGClJGRlhzTC9Qd1N3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArkaSaha30
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ahrtr
Copy link
Member

ahrtr commented Dec 6, 2024
edited
Loading

@ArkaSaha30 please rebase this PR. I just merged #8

ahrtr
ahrtr reviewed Dec 6, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
ahrtr
ahrtr reviewed Dec 6, 2024
View reviewed changes
config/certmanager/cert-manager_issuer.yaml Outdated Show resolved Hide resolved
config/certmanager/etcd-client-cert.yaml Outdated
dnsNames:
- etcd.etcd-operator-system
issuerRef:
name: etcd-operator-selfsigned
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issuerRef.name doesn't match the issuer's name?

Copy link
Author

@ArkaSaha30 ArkaSaha30 Dec 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While deployment the namePrefix: etcd-operator- was getting appended to the issuer, so when I reference just the issuer name without namePrefix although it creates a certificateRequest it is not able to find the issuer.

config/crd/bases/operator.etcd.io_etcdclusters.yaml Outdated Show resolved Hide resolved
@ahrtr
Copy link
Member

ahrtr commented Dec 6, 2024
edited
Loading

A couple of high level thoughts:

  • For etcd-cluster's certificate,
    • add the cluster name as the prefix, i.e. cluster1-etcd-client-tls, etc. so that different clusters won't conflict.
    • expose an API for the reconciliation workflow to call to generate certificates for the etcd clusters
      • each member in one cluster should have different certificate

@ahrtr
Copy link
Member

ahrtr commented Dec 6, 2024

cc @hakman

@k8s-ci-robot k8s-ci-robot added size/M and removed size/L labels Dec 7, 2024
@ArkaSaha30
Issue certifcates for etcd-operator
f5456d0 
This commit will add the capability to issue selfsigned certificates for etcd-operator.

Signed-off-by: ArkaSaha30 <[email protected]>
@ArkaSaha30
Copy link
Author

A couple of high level thoughts:

  • For etcd-cluster's certificate,

    • add the cluster name as the prefix, i.e. cluster1-etcd-client-tls, etc. so that different clusters won't conflict.

    • expose an API for the reconciliation workflow to call to generate certificates for the etcd clusters

      • each member in one cluster should have different certificate

Sure, thank you!
Should I update it in this PR or raise a separate as an incremental development?

@ahrtr ahrtr mentioned this pull request Dec 9, 2024
Open
11 tasks
@ahrtr
Copy link
Member

ahrtr commented Dec 9, 2024

Please read #10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrtr ahrtr ahrtr left review comments

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ArkaSaha30 @k8s-ci-robot @ahrtr