Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add ClientCertAdditionalData & HubSensitive #321

Conversation

xuezhaojun
Copy link
Member

@xuezhaojun xuezhaojun commented Mar 11, 2024

Summary

HubSensitive by default is true, for CustomSignedCSR like cluster-proxy , it will add an addtionalData of hub CA hash when storing certificates to a secert. So that hub change will trigger the renewal of CSR.

For addons that don't want CSR renewl when changing hub(for example, the client certificates is used to access a consist URL service), the addon developer can set the HubSensitive to false, and control the renewal of CSR by set their own ClientCertAddtionalData.

@openshift-ci openshift-ci bot requested review from deads2k and qiujian16 March 11, 2024 09:28
@xuezhaojun xuezhaojun force-pushed the add-clientcertadditionaldata branch from a41c573 to ce48d31 Compare March 11, 2024 09:36
@xuezhaojun xuezhaojun changed the title ✨ Add ClientCertAdditionalData. ✨ Add ClientCertAdditionalData & HubSensetive Mar 11, 2024
@xuezhaojun xuezhaojun changed the title ✨ Add ClientCertAdditionalData & HubSensetive ✨ Add ClientCertAdditionalData & HubSensitive Mar 11, 2024
@xuezhaojun
Copy link
Member Author

/assign @qiujian16

Please take the time to review this pull request.

Signed-off-by: xuezhaojun <zxue@redhat.com>
@xuezhaojun xuezhaojun force-pushed the add-clientcertadditionaldata branch from ce48d31 to f81e1c2 Compare March 11, 2024 09:46
Copy link
Contributor

openshift-ci bot commented Mar 11, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xuezhaojun
Once this PR has been reviewed and has the lgtm label, please ask for approval from qiujian16. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

// If it is set to true, the renewal of the CSR will be triggered when the hub is changed.
// +optional
// +kubebuilder:default=true
HubSensitive bool `json:"hubSensitive,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should not use bool type

// is the additional data that will be stored alongside with the client certificate in that secret.
// Also, the change of the additional data will trigger the CSR renewal.
// +optional
ClientCertAdditionalData map[string]string `json:"clientCertAdditionalData,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not recommanded to use map since it is unbondary and behave weird when merge.

@xuezhaojun
Copy link
Member Author

/close

Decidei to use subject groups and OU.

@openshift-ci openshift-ci bot closed this Mar 13, 2024
Copy link
Contributor

openshift-ci bot commented Mar 13, 2024

@xuezhaojun: Closed this PR.

In response to this:

/close

Decidei to use subject groups and OU.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants