Add example certs for all cluster components. #18
Conversation
examples/apiserver-cert.yaml
Outdated
| @@ -1,20 +1,20 @@ | |||
| apiVersion: "giantswarm.io/v1" | |||
| kind: Certificate | |||
| metadata: | |||
| name: "example-cert" | |||
| name: "uo91f-apiserver" | |||
| namespace: "uo91f" | |||
There was a problem hiding this comment.
Should the TPOs be in the "per cluster" or the giantswarm namespace?
examples/calico-cert.yaml
Outdated
| spec: | ||
| clusterID: "uo91f" | ||
| clusterComponent: "calico" | ||
| commonName: "calico.uo91f.g8s.eu-west-1.aws.test.private.giantswarm.io" |
There was a problem hiding this comment.
Is the calico domain correct? It isn't in the clustertpr, should we add it?
https://github.com/giantswarm/clustertpr/blob/master/calico/calico.go
examples/worker-cert.yaml
Outdated
| commonName: "api.uo91f.g8s.eu-west-1.aws.test.private.giantswarm.io" | ||
| altNames: | ||
| - "uo91f.g8s.eu-west-1.aws.test.private.giantswarm.io" | ||
| - "k8s-master-vm" |
There was a problem hiding this comment.
why does the worker cert need these alt names? these are the api server ANs aren't they?
There was a problem hiding this comment.
I think that's an error on my side, I'll remove them. I'd like to get these examples as close as possible and then I can automate in kubernetesd.
|
There's 2 sides to the TPO namespace issue:
So now I'm a bit more tending toward 2 |
| spec: | ||
| clusterID: "uo91f" | ||
| clusterComponent: "calico" | ||
| commonName: "calico.uo91f.g8s.eu-west-1.aws.test.private.giantswarm.io" |
There was a problem hiding this comment.
@xh3b4sd the Calico domain is missing from clustertpr. Can we add it and is the example correct?
There was a problem hiding this comment.
See
- https://github.com/giantswarm/giantswarm/issues/1305
- https://github.com/giantswarm/giantswarm/issues/1304
Feel free to do that in case your are blocked by it somehow. The domains for the guest cluster components have all the same structure and only differ in their sub domain. I don't know how the base domain of AWS clusters look like. And note that the kube DNS domain is a completely different thing structure wise.
There was a problem hiding this comment.
@xh3b4sd will do if it blocks me. Also sorry about forgetting my own issues!
examples/worker-cert.yaml
Outdated
| spec: | ||
| clusterID: "uo91f" | ||
| clusterComponent: "worker" | ||
| commonName: "api.uo91f.g8s.eu-west-1.aws.test.private.giantswarm.io" |
There was a problem hiding this comment.
Common name for the worker is worker, not api.
examples/apiserver-cert.yaml
Outdated
| clusterComponent: "kubernetes" | ||
| commonName: "api.cert-test.g8s.eu-west-1.aws.test.private.giantswarm.io" | ||
| clusterID: "uo91f" | ||
| clusterComponent: "apiserver" |
There was a problem hiding this comment.
I would prefer api over apiserver. The scheme for the other certs is to use the clusterComponent as sub domain identifier. The only exception is here.
Towards giantswarm/giantswarm#1255
This PR adds example certs for each cluster component. The actual certificate TPOs will be created by kubernetesd using data from the cluster TPO but there are some gaps currently.
I'd like to get these TPOs as close to the actual ones as possible. I'll then automate in kubernetesd. For now I've agreed with @asymmetric that we'll use the default namespace. This is while we decide if the TPOs should live in the cluster namespace.