-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add ClientCertAdditionalData & HubSensitive #321
✨ Add ClientCertAdditionalData & HubSensitive #321
Conversation
a41c573
to
ce48d31
Compare
/assign @qiujian16 Please take the time to review this pull request. |
Signed-off-by: xuezhaojun <zxue@redhat.com>
ce48d31
to
f81e1c2
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: xuezhaojun The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
// If it is set to true, the renewal of the CSR will be triggered when the hub is changed. | ||
// +optional | ||
// +kubebuilder:default=true | ||
HubSensitive bool `json:"hubSensitive,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not use bool type
// is the additional data that will be stored alongside with the client certificate in that secret. | ||
// Also, the change of the additional data will trigger the CSR renewal. | ||
// +optional | ||
ClientCertAdditionalData map[string]string `json:"clientCertAdditionalData,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is not recommanded to use map since it is unbondary and behave weird when merge.
/close Decidei to use subject groups and OU. |
@xuezhaojun: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Summary
HubSensitive
by default is true, for CustomSignedCSR like cluster-proxy , it will add an addtionalData of hub CA hash when storing certificates to a secert. So that hub change will trigger the renewal of CSR.For addons that don't want CSR renewl when changing hub(for example, the client certificates is used to access a consist URL service), the addon developer can set the
HubSensitive
to false, and control the renewal of CSR by set their ownClientCertAddtionalData
.