Add support to create a issuer and CA via cert-manager #342
Conversation
drewwells
commented
Jun 12, 2023
DEMO
|
Hmm... to be a real ca, you need a second issuer I think. Interesting though to want to bundle the ca management right in to the chart though. We could consider taking this file: https://github.com/spiffe/helm-charts/blob/main/.github/tests/upstream-authority-cert-manager/cert-manager-ca.yaml and merging it into the chart |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address the items in the review, some of which are just comments, and may not have definitive answers.
Overall this looks good. I'm willing to approve, but I do want answers (or at least comments in reply) to the questions within.
Let me check, you are right about the certificate. I'm not sure what that second Issuer is doing. |
Included ca certificate and ca issuer, based on this: https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers |
The first cert/issuer pair, creates a self signed root CA., then makes an issuer that can make certificates from that CA. The upstream certmanager ca plugin will then create its own nested ca certificate from there. So if you have multiple spire instances, they all can share a chain of trust that includes root CA's public key so it doesn't change very often. Each spire gets a short lived CA cert. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this contribution. Few small suggestions inline.
91dcbf8
to
216a6ee
Compare
a1b8b73
to
55ff7ad
Compare
Can you please:
This should then get the testing in github using your feature. |
Head branch was pushed to by a user without write access
3ce6287
to
c59139c
Compare
@kfox1111 mysql tests are broken now. I'm going to close this PR, 60+ comments. This was just to add cert manager CRs for development purposes. The scope has grown way out of my intended purposes. |
By the look of the tests, one failed due to transient network issue. Just rerunning the test should fix it. Please don't give up near the finish line. |
Going to reopen and double check the test. I think it should be ready if we just rerun it. |
Rerunning the test did work. So I think this PR is ready to merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 small things I found. See test.yaml.
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good enough to get feature in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checking the unresolved conversations we missed one.
Added a release notes label to this PR as we will have to document some of the breaking changes in the release notes. e.g.: restructure of the issuerName field. |
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
That's great! Is it possible to get a release or pre-release available on the helm repo? |
Yes we can. We have one PR pending to cleanup an inconsistency for the 0.9.0 release. |
* 57a9320 Add SPIRE 1.7.0 to main readme (#357) * af36f7c Align the bash image version with other instances for spire-agent (#356) * c11a8c0 Implement pre-delete hook for graceful delete of spiffe-oidc-discovery-provider (#353) * a6dcf26 Allow for SPIRE Agent to run as non root user (#209) * 9cf6049 Allow contributors to run linting easily on local * e88f7f6 Add configmap annotation to spire-bundle configmap (#351) * 020bde8 Add support to create a issuer and CA via cert-manager (#342) * 9d504de Ignore .DS_Store files * e6b608c Bump spire images to 1.7.0 (#348) * c97a788 Fix bundle role/rolebinding naming conflict (#333) * b66077e Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#349) * d0da864 Add missing metadata to subcharts (#347) * 4c0a1d5 Allow overriding test images (#186) * 250fd5d Add missing global values to charts (#311) * 5d8c907 Dropping k8s versions in CI older than 3, as per readme (#344) * 8748933 Update upstream-ca-secret.yaml (#341) * 4e07450 Fix ingress annotations for federation (#337) * ea09199 Bump actions/checkout from 3.5.0 to 3.5.3 * 87fe198 Merge pull request #331 from edwbuck/key_conventions * ddc0166 Fix line wrapping. * 0cae9ce Update project/conventions.md * cb18255 Update project/conventions.md * 52e5c24 Upgrade Tornjak to image v1.2.2 (#328) * 28e2abf Choose a different example for dotted Acronyms. * d60d68c Added accidentally clipped explicit name guidelines. * abe9fde Merge branch 'main' into key_conventions * f6a7b62 Update project/conventions.md * c4d19db Update project/conventions.md * cfa9f78 Bump test chart dependencies (#332) * c3213ab Initial submission of Helm Chart key naming conventions. * 28c0824 Bump test chart dependencies (#322) * d333154 Add Makefile for local testing (#327) * 9fa1ec2 Improve Tornjak backend test (#321) * 5b779dc Improve Tornjak frontend test (#320) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
* 57a9320 Add SPIRE 1.7.0 to main readme (#357) * af36f7c Align the bash image version with other instances for spire-agent (#356) * c11a8c0 Implement pre-delete hook for graceful delete of spiffe-oidc-discovery-provider (#353) * a6dcf26 Allow for SPIRE Agent to run as non root user (#209) * 9cf6049 Allow contributors to run linting easily on local * e88f7f6 Add configmap annotation to spire-bundle configmap (#351) * 020bde8 Add support to create a issuer and CA via cert-manager (#342) * 9d504de Ignore .DS_Store files * e6b608c Bump spire images to 1.7.0 (#348) * c97a788 Fix bundle role/rolebinding naming conflict (#333) * b66077e Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#349) * d0da864 Add missing metadata to subcharts (#347) * 4c0a1d5 Allow overriding test images (#186) * 250fd5d Add missing global values to charts (#311) * 5d8c907 Dropping k8s versions in CI older than 3, as per readme (#344) * 8748933 Update upstream-ca-secret.yaml (#341) * 4e07450 Fix ingress annotations for federation (#337) * ea09199 Bump actions/checkout from 3.5.0 to 3.5.3 * 87fe198 Merge pull request #331 from edwbuck/key_conventions * ddc0166 Fix line wrapping. * 0cae9ce Update project/conventions.md * cb18255 Update project/conventions.md * 52e5c24 Upgrade Tornjak to image v1.2.2 (#328) * 28e2abf Choose a different example for dotted Acronyms. * d60d68c Added accidentally clipped explicit name guidelines. * abe9fde Merge branch 'main' into key_conventions * f6a7b62 Update project/conventions.md * c4d19db Update project/conventions.md * cfa9f78 Bump test chart dependencies (#332) * c3213ab Initial submission of Helm Chart key naming conventions. * 28c0824 Bump test chart dependencies (#322) * d333154 Add Makefile for local testing (#327) * 9fa1ec2 Improve Tornjak backend test (#321) * 5b779dc Improve Tornjak frontend test (#320) Signed-off-by: Marco Franssen <marco.franssen@gmail.com>