New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 5514 read cabundle from kube objects - design doc #6228
base: master
Are you sure you want to change the base?
Issue 5514 read cabundle from kube objects - design doc #6228
Conversation
Hi @AppalaKarthik. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR is to review design document for #5514 |
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
Signed-off-by: AppalaKarthik <karthik.appala@fmr.com>
…github.com/fidelity/cert-manager into issue-5514-read-cabundle-from-kube-objects
@AppalaKarthik Thank you for the design document, I think it is ready to be merged (will ask other maintainers to also have a look). |
|
||
### Graduation Criteria | ||
|
||
Placing the `caBundleSecetRef` and `caBundleConfigMapRef` specification functionality behind a feature gate should be required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that we have to introduce a new feature flag for this.
We also did not introduce a feature flag when we added secret refs for Vault: #5387
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we watching configmaps in cert-manager already? If not, I think it could make sense to initially add it behind a feature gate.
### Goals | ||
|
||
To be able to refer caBundle using secret. | ||
To be able to refer caBundle using configmap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should also specify that we want to stay up-to-date with the latest version of the resource (if the resource contents change, we want to start trusting the new CA).
TODO: check if #5387 does this properly & how it does this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I think #5387 does this correctly for secrets, ref.
cert-manager/pkg/controller/issuers/checks.go
Lines 91 to 96 in 27fb916
if iss.Spec.Vault.CABundleSecretRef != nil { | |
if iss.Spec.Vault.CABundleSecretRef.Name == secret.Name { | |
affected = append(affected, iss) | |
continue | |
} | |
} |
@brianwarner could you fix the DCO error? |
Hi @inteon, it was a merge commit which should generally be excluded from DCO checks. But if it's required and you don't have access to the dco bot config, it's probably best if I just prune the merge commit? |
IMO this PR should be rebased and commits squashed. Any reason for not doing this? |
That does make a lot more sense, yeah... @AppalaKarthik does that work for you? |
Yeah it does. Let me do that.
From: Brian Warner ***@***.***>
Date: Monday, September 25, 2023 at 4:42 PM
To: cert-manager/cert-manager ***@***.***>
Cc: Appala, Karthik ***@***.***>, Mention ***@***.***>
Subject: Re: [cert-manager/cert-manager] Issue 5514 read cabundle from kube objects - design doc (PR #6228)
NOTICE: This email is from an external sender - do not click on links or attachments unless you recognize the sender and know the content is safe.
That does make a lot more sense, yeah... @AppalaKarthik<https://github.com/AppalaKarthik> does that work for you?
—
Reply to this email directly, view it on GitHub<#6228 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AY4S3OEPP5TLF5U5P3NDJXLX4HUD5ANCNFSM6AAAAAA2SNLBQY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
/remove-lifecycle rotten |
/remove-lifecycle stale |
@AppalaKarthik Are you able to rebase/squash this PR to make it mergeable? If not, please let us know if you are ok with someone else picking this up. |
Pull Request Motivation
Design Doc for referencing cabundle using kubernetes native objects(secrets/configmaps)
Issue reference 5514
Kind
Design