-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURESIGN-994] Enable TLS on secureSign components: mount certificates/keys #483
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fghanmi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@fghanmi: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a few comments on this PR. First, I recommend dividing the PR into separate components. Please test each component to see if it can use TLS, because it looks like some of them are unable to do that. If a component cannot use TLS, it is unnecessary to modify the operator for that component. Additionally, please create unit and end-to-end tests.
|
||
// Secret with TLS server certificates and private key | ||
//+optional | ||
TLSCertificate TLSCert `json:"tlsCertificate"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate TLSCert `json:"tlsCertificate"` | |
TLSCertificate TLSCert `json:"tls"` |
@@ -46,6 +50,7 @@ type CTlogStatus struct { | |||
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"` | |||
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"` | |||
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"` | |||
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"` | |
TLSCertificate *TLSCert `json:"tls,omitempty"` |
@@ -21,6 +21,9 @@ type FulcioSpec struct { | |||
// ConfigMap with additional bundle of trusted CA | |||
//+optional | |||
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"` | |||
// Secret with TLS server certificates and private key | |||
//+optional | |||
TLSCertificate TLSCert `json:"tlsCertificate"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate TLSCert `json:"tlsCertificate"` | |
TLSCertificate TLSCert `json:"tls"` |
@@ -96,6 +99,7 @@ type OIDCIssuer struct { | |||
type FulcioStatus struct { | |||
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` | |||
Certificate *FulcioCert `json:"certificate,omitempty"` | |||
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"` | |
TLSCertificate *TLSCert `json:"tls,omitempty"` |
type TrillianServer struct { | ||
// Secret with TLS server certificate and private key | ||
//+optional | ||
TLSCertificate TLSCert `json:"tlsCertificate"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate TLSCert `json:"tlsCertificate"` | |
TLSCertificate TLSCert `json:"tls"` |
type TrillianSigner struct { | ||
// Secret with TLS server certificate and private key | ||
//+optional | ||
TLSCertificate TLSCert `json:"tlsCertificate"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLSCertificate TLSCert `json:"tlsCertificate"` | |
TLSCertificate TLSCert `json:"tls"` |
MountPath: "/etc/ssl/certs", | ||
ReadOnly: true, | ||
}) | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-certificate", "/etc/ssl/certs/tls.crt") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where did you find these options? There is no option to configure TLSConfig
in ct_server application
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR won't be merged until the issues on upstreams are solved (mentioned here)
I've prepared 4 PRs to enable TLS on CTLog, rekor, fulcio
tls-certificate
option is here: https://github.com/google/certificate-transparency-go/pull/1523/files#diff-7a183747e4fb8d227a2b6b60050cbab942013815105b231c7dedf4d0e9fbabbbR61
}) | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt") | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key") | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where did you find this option on Fulcio? I unable to find any reference in it's source code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Depends on open issues: