Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root CA bundle #1316

Merged
merged 11 commits into from
Apr 30, 2021
Merged

Root CA bundle #1316

merged 11 commits into from
Apr 30, 2021

Conversation

kron4eg
Copy link
Member

@kron4eg kron4eg commented Apr 16, 2021

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1298

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Root CA bundle

@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. labels Apr 16, 2021
@kubermatic-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kron4eg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot kubermatic-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 16, 2021
@kron4eg kron4eg marked this pull request as draft April 16, 2021 12:39
@kubermatic-bot kubermatic-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 16, 2021
@kron4eg
Copy link
Member Author

kron4eg commented Apr 16, 2021

/retest

1 similar comment
@kron4eg
Copy link
Member Author

kron4eg commented Apr 16, 2021

/retest

@kron4eg kron4eg force-pushed the 1298-ca-bundle branch 3 times, most recently from 39b2ce2 to 7981d15 Compare April 22, 2021 15:30
@kubermatic-bot kubermatic-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 22, 2021
@kron4eg kron4eg marked this pull request as ready for review April 23, 2021 08:05
@kubermatic-bot kubermatic-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 23, 2021
@kron4eg kron4eg requested a review from xmudrii April 23, 2021 08:10
xmudrii
xmudrii reviewed Apr 23, 2021
View reviewed changes
pkg/apis/kubeone/types.go
Comment on lines +54 to +55
// CABundle PEM encoded global CA
CABundle string `json:"caBundle,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say that this should be a path to the bundle on local FS instead of the bundle itself. The bundle can be huge (the Mozilla one is 3k+ lines).

Copy link
Member Author

@kron4eg kron4eg Apr 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While yes, the original public CA bundle is long, this field should only be used in case when you have your very own custom CA bundle, which most likely will not be that long.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still prefer if we would reference a file instead of embedding it in the KubeOne config manifest. We can't know for sure how long is the CA bundle. Theoretically, it can range from several dozens of lines to several thousand. From the user experience side, I believe referencing the file is better because the manifest is smaller and easier to maintain.

Additionally, we use this pattern in other places as well, such as:

  1. addons
  2. PodNodeSelector and StaticAuditLog features

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then let's build on top of this PR as it's already quite big. My proposal would be to retrofit the "special content" linking.
I.e. let's have file:///path/to/file in .CABundle and in case if it starts from file:// that will be interpreted as reference to the file, instead of actual content.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like a good plan. Can you create a follow-up issue for this?

@kron4eg kron4eg marked this pull request as draft April 23, 2021 23:18
@kubermatic-bot kubermatic-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 23, 2021
@kron4eg kron4eg mentioned this pull request Apr 24, 2021
Merged
@kron4eg kron4eg force-pushed the 1298-ca-bundle branch 6 times, most recently from 3f5280a to cd08287 Compare April 26, 2021 20:59
@kron4eg kron4eg marked this pull request as ready for review April 26, 2021 20:59
@kubermatic-bot kubermatic-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 26, 2021
@kron4eg kron4eg requested a review from xmudrii April 26, 2021 20:59
@kron4eg
Copy link
Member Author

kron4eg commented Apr 26, 2021

/retest

@kron4eg kron4eg force-pushed the 1298-ca-bundle branch 2 times, most recently from 6546504 to 52b424b Compare April 27, 2021 19:58
xmudrii
xmudrii reviewed Apr 29, 2021
View reviewed changes
Copy link
Member

@xmudrii xmudrii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to test this feature in an automated way, i.e. with the E2E tests? If yes, we should do that in a follow-up (please create a ticket in that case).

pkg/apis/kubeone/types.go
Comment on lines +54 to +55
// CABundle PEM encoded global CA
CABundle string `json:"caBundle,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still prefer if we would reference a file instead of embedding it in the KubeOne config manifest. We can't know for sure how long is the CA bundle. Theoretically, it can range from several dozens of lines to several thousand. From the user experience side, I believe referencing the file is better because the manifest is smaller and easier to maintain.

Additionally, we use this pattern in other places as well, such as:

  1. addons
  2. PodNodeSelector and StaticAuditLog features

kron4eg added 11 commits April 29, 2021 17:41
@kron4eg
New CABundle API field
3e848c2 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Validate CABundle
25e92cc 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
CABundleInjector
0a9c84e 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
share caBundleENV caBundleVolume caBundleVolumeMount with addons temp…
56d56d2 
…lates

Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Save caBundle on the host and in configMap
d76a20c 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Update fixtures
679661f 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Patch kube-controller-manager static manifest
9f353a6 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
saveCABundle own function
6e37e3e 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
reformat kubeadm scripts
0f28ef8 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Use dedicated storage to download / upload PKI
6a8969e 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Fix after reviews
753f677 
Signed-off-by: Artiom Diomin <[email protected]>
@kron4eg
Copy link
Member Author

kron4eg commented Apr 29, 2021

kron4eg force-pushed the kron4eg:1298-ca-bundle branch from 492d568 to 753f677 2 minutes ago

that's just a rebase

@kubermatic-bot kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2021
@kubermatic-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 35429b94a7f4d49f3c51eb90eab28f7d25622330

@kubermatic-bot kubermatic-bot merged commit cb5b759 into kubermatic:master Apr 30, 2021
@kubermatic-bot kubermatic-bot added this to the KubeOne 1.3 milestone Apr 30, 2021
@kron4eg kron4eg deleted the 1298-ca-bundle branch April 30, 2021 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xmudrii xmudrii xmudrii approved these changes

Assignees

@xmudrii xmudrii

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
KubeOne 1.3
Development

Successfully merging this pull request may close these issues.

CA bundle for all components
3 participants
@kron4eg @kubermatic-bot @xmudrii