Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow providing control plane certs & ca in separate secrets #3015

Closed
usrbinkat opened this issue Oct 26, 2021 · 1 comment · Fixed by #3638
Closed

Allow providing control plane certs & ca in separate secrets #3015

usrbinkat opened this issue Oct 26, 2021 · 1 comment · Fixed by #3638
Assignees
@bartsmykla
Labels
area/installation kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it

Comments

@usrbinkat
Copy link

Summary

Effective declarative deployment via helm is negatively impacted due to Control Plane certificate strategy requiring cert, key, and CA to come from a single secret. An example scenario is the difficulty issuing controlplane ca and certificates via cert-manager.

Steps To Reproduce

  1. Create CA with Cert Manager
  2. Issue Control Plane Cert & Key with Cert Manager
  3. Deploy Kuma via Helm pointing at the issued cert/key
  4. Observe Control Plane deployment failure due to secret not including CA

Workaround

  • A) Anti-pattern
    2.a Issue Control Plane Cert & Key with Cert Manager
    2.b Concatenate CA, Cert, and Key into single secret prior to helm deploying Kuma
    3.a Deploy Kuma via Helm pointing at the concatenated ca/cert/key secret
  • B) Snowflake
    • Implement Kustomize patching to accomodate independent Cert Manager provided certs

Additional Details & Logs

  • Installation Method Helm
@scottslowe
Copy link

Strongly support this RFE. More details on the anti-pattern described by @usrbinkat can be found here: https://github.com/scottslowe/kuma-cert-manager

@lahabana lahabana added area/installation kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it and removed installation labels Nov 22, 2021
@lahabana lahabana changed the title [RFE]: Allow providing control plane certs & ca in separate secrets Allow providing control plane certs & ca in separate secrets Nov 29, 2021
@bartsmykla bartsmykla mentioned this issue Jan 4, 2022
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bartsmykla bartsmykla

Labels
area/installation kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(*) allow ca.crt to be in separate k8s secret kumahq/kuma
5 participants
@jpeach @lahabana @scottslowe @bartsmykla @usrbinkat