Remove Need for SANs in Provided Cert/Key Pair #406
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alecmerdler
changed the title
alecmerdler
force-pushed
the
PROJQUAY-1737
branch
from
332598e to
e7a9749
Compare
dmesser
reviewed
Mar 19, 2021
alecmerdler
force-pushed
the
PROJQUAY-1737
branch
2 times, most recently
from
b756145 to
015801f
Compare
alecmerdler
force-pushed
the
PROJQUAY-1737
branch
7 times, most recently
from
38a765c to
0c150b0
Compare
alecmerdler
changed the title
alecmerdler
commented
Mar 25, 2021
alecmerdler
force-pushed
the
PROJQUAY-1737
branch
4 times, most recently
from
1952296 to
acb2b11
Compare
alecmerdler
added a commit
to alecmerdler/quay-operator
that referenced
this pull request
May 11, 2021
Backport the fix from (quay#406) to remove the requirement for provided TLS cert/key pair to be valid for internal k8s service hostnames as SAN entries. Signed-off-by: Alec Merdler <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue: https://issues.redhat.com/browse/PROJQUAY-1737
Changelog: Remove the need for SANs of internal k8s service hosts in provided cert/key pair for Quay.
Docs: quay/quay-docs#157
Testing: There are a few different situations which must be tested:
RouteSERVER_HOSTNAMERoutehostname, self-signed certsRoutehostname)Routehostname and provided certsstatus.conditionsregistry.company.comstatus.conditionsregistry.company.comregistry.company.comSERVER_HOSTNAMEis unsetSERVER_HOSTNAMEis unsetregistry.company.comregistry.company.comstatus.conditionsregistry.company.comDetails: Most public key infrastructure cannot generate cert/key pairs for the internal Kubernetes
Servicehostnames (quay.namespace.svc). Previously, the Operator would reject provided certs which did not include these hostnames as Subject Alternative Names (SANs) because they were believed to be needed for TLS connections within the cluster. This is not the case, so this check is removed.To use a
Routewith the included OpenShift cluster cert/key pair, mark theroutecomponent asmanaged: false, includeSERVER_HOSTNAMEas the future generatedRoutehostname (follows the pattern<route-name>-<namespace>.apps.<cluster>), then create your ownRoutewhich points to the Quay appServiceand uses re-encrypt TLS termination, with thedestinationCACertificateset to the generatedtls.certfound in theSecretmounted into the Quay app pods.