Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

Merged
merged 2 commits into from
Apr 6, 2023
Merged

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

merged 2 commits into from
Apr 6, 2023

Conversation

giorio94
Copy link
Member

Currently, in the helm chart, if the cert-manager approach is selected to generate the hubble and clustermesh certificates but no issuer is specified, a new issuer is created for each of them, along with a secret containing the CA information. Still, this approach is currently broken, since the CA secret which is created does not match the format expected by cert-manager. At the same time, this might also hide misconfigurations (e.g., if there is a typo in the issuer configuration) and possibly lead to different CAs for different components. Hence, let's just stick to the approach documented in the user guide and make it mandatory to specify the issuer when cert-manager is used. It is a task of the users (as unrelated from cilium) to create the appropriate issuer in advance, according to their own preference.

This PR supersedes #24505, since the automatic creation of a per-component self-signed issuer would lead to certificates signed by different authorities, which is something we are trying to move away (https://github.com/cilium/cilium/blob/master/install/kubernetes/cilium/values.yaml#L1000-L1002). Using a well-defined CA, shared among all clusters to be joined with clustermesh is also the best practice for a smooth setup, and we should encourage it (https://docs.cilium.io/en/v1.13/network/clustermesh/clustermesh/#shared-certificate-authority).

I'm marking this as a bug fix, since selecting cert-manager and leaving the issuer unset currently leads to a broken setup (since the certificates are never generated due to the incorrect secret content).

I'm marking this for backport to v1.12 and v1.13 since the reverted PR (#22921) which removed the validation has been backported to those versions.

Fixes: #24500

helm: mandate issuer configuration when using cert-manager to generate certificates

@giorio94
Revert "Modify helm chart: delete validations for certManagerIssuerRef"
579bae3 
This reverts commit bc2ed14.

Currently, in the helm chart, if the cert-manager approach is selected
to generate the hubble and clustermesh certificates but no issuer is
specified, a new issuer is created for each of them, along with a secret
containing the CA information. Still, this approach is currently broken,
since the CA secret which is created does not match the format expected
by cert-manager. At the same time, this might also hide misconfigurations
(e.g., if there is a typo in the issuer configuration) and possibly lead
to different CAs for different components. Hence, let's just stick to
the approach documented in the user guide and make it mandatory to specify
the issuer when cert-manager is used. It is a task of the users (as
unrelated from cilium) to create the appropriate issuer in advance,
according to their own preference.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/helm Impacts helm charts and user deployment experience needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Mar 31, 2023
@giorio94 giorio94 requested review from a team as code owners March 31, 2023 07:32
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.12.9 Mar 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.2 Mar 31, 2023
@giorio94 giorio94 requested a review from kaworu March 31, 2023 07:32
@giorio94
Revert "helm: ca issuer"
d84bc71 
This reverts commit 082fa15.

Currently, in the helm chart, if the cert-manager approach is selected
to generate the hubble and clustermesh certificates but no issuer is
specified, a new issuer is created for each of them, along with a secret
containing the CA information. Still, this approach is currently broken,
since the CA secret which is created does not match the format expected
by cert-manager. At the same time, this might also hide misconfigurations
(e.g., if there is a typo in the issuer configuration) and possibly lead
to different CAs for different components. Hence, let's just stick to
the approach documented in the user guide and make it mandatory to specify
the issuer when cert-manager is used. It is a task of the users (as
unrelated from cilium) to create the appropriate issuer in advance,
according to their own preference.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
Copy link
Member Author

I'm not running the additional tests, since they would provide no additional coverage for this helm-related change.

sayboras
sayboras approved these changes Apr 2, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes are looking good to me ✔️, only one question on upgrade path.

install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml Show resolved Hide resolved
install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml Show resolved Hide resolved
kaworu
kaworu approved these changes Apr 3, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @giorio94!

@giorio94
Copy link
Member Author

giorio94 commented Apr 6, 2023

Marking as ready to merge without running the additional tests, as this includes helm related changes and they would provide no additional coverage.

@giorio94 giorio94 added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 6, 2023
@giorio94 giorio94 mentioned this pull request Apr 6, 2023
Closed
8 tasks
@squeed squeed merged commit 62f72cd into cilium:master Apr 6, 2023
42 checks passed
@pchaigno pchaigno mentioned this pull request Apr 11, 2023
Merged
8 tasks
@pchaigno pchaigno added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.2 Apr 11, 2023
@pchaigno pchaigno mentioned this pull request Apr 11, 2023
Merged
5 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.9 Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.9 Apr 11, 2023
@gandro gandro added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 12, 2023
@gandro gandro added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.9 Apr 12, 2023
@michi-covalent michi-covalent mentioned this pull request Apr 14, 2023
Merged
@gentoo-root gentoo-root mentioned this pull request Apr 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@rolinh rolinh rolinh approved these changes

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.12.9
Backport done to v1.12
1.13.2
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Chart: hubble tls certificate generation with certmanager fails
8 participants
@giorio94 @kaworu @rolinh @tommyp1ckles @sayboras @gandro @squeed @pchaigno