OCPCLOUD-3346: tls: use centralized TLS#1456
OCPCLOUD-3346: tls: use centralized TLS#1456RadekManak wants to merge 9 commits intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/assign @damdo |
damdo
left a comment
damdo
left a comment
There was a problem hiding this comment.
Thanks! Looks good, a couple of minor points.
pkg/operator/operator.go
Outdated
| var tlsProfile *osconfigv1.TLSProfileSpec | ||
| apiServer, err := optr.osClient.ConfigV1().APIServers().Get(context.Background(), "cluster", metav1.GetOptions{}) | ||
| if err != nil { | ||
| klog.Warningf("Failed to fetch APIServer, using default TLS profile: %v", err) |
There was a problem hiding this comment.
Shouldn't we return here?
What would happen otherwise?
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Remove the kube-rbac-proxy sidecar, mount the serving cert, and restart the operator on APIServer TLS profile changes.
Capture the APIServer TLS profile in operator config and use it to configure kube-rbac-proxy TLS args, with unit coverage.
Add unit tests to verify TLS configuration handling in newKubeProxyContainer, including tests for TLS 1.2 with cipher suites and TLS 1.3 without cipher suites.
RadekManak
force-pushed
the
feature-centralized-tsl-endpoints
branch
from
4e665c0 to
24eed11
Compare
|
@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
RadekManak
force-pushed
the
feature-centralized-tsl-endpoints
branch
from
24eed11 to
6b35a05
Compare
damdo
left a comment
damdo
left a comment
There was a problem hiding this comment.
Thanks for this Radek!
I left a bunch of comments but it mostly looks good! TY
| return | ||
| } | ||
| klog.Fatal(server.ListenAndServe()) | ||
|
|
There was a problem hiding this comment.
In controller-runtime-common we overwrite initialProfile once the change is detected, see: https://github.com/damdo/machine-api-operator/blob/6b35a05c94ac5760bedfcb4e2408d8efee3d1100/vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go#L138-L140
There was a problem hiding this comment.
We are restarting anyway so it does not really matter, but I agree that is more correct if we got multiple updates before shutdown. This way, the second event won't log the shutdown again.
| return metricsserver.NewServer(metricsserver.Options{ | ||
| BindAddress: metricsAddr, | ||
| SecureServing: true, | ||
| FilterProvider: filters.WithAuthenticationAndAuthorization, |
There was a problem hiding this comment.
Do we have the right RBAC defined for the MAO Deployment's service account to do this?
WithAuthenticationAndAuthorization provides a metrics.Filter for authentication and authorization. Metrics will be authenticated (via TokenReviews) and authorized (via SubjectAccessReviews) with the kube-apiserver. For the authentication and authorization the controller needs a ClusterRole with the following rules: * apiGroups: authentication.k8s.io, resources: tokenreviews, verbs: create * apiGroups: authorization.k8s.io, resources: subjectaccessreviews, verbs: create
To scrape metrics e.g. via Prometheus the client needs a ClusterRole with the following rule: * nonResourceURLs: "/metrics", verbs: get
There was a problem hiding this comment.
Move TLS configuration computation from per-container to once per batch in newKubeProxyContainers. This avoids redundant processing when creating multiple kube-rbac-proxy containers with the same TLS profile.
|
@RadekManak: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAOkube-rbac-proxysidecar.APIServer/clusterTLS profile on startup,kube-rbac-proxysidecars (machine,machineset,mhc) by generating--tls-min-versionand profile-derived--tls-cipher-suitesargs.METRICS_PORT=8443) for direct secure serving,config.openshift.io/apiservers.controller-runtime,openshift/api,openshift/client-go, etc.),go-build.shroot-dir handling fix,pkg/webhooks/machine_webhook.go, context import updates).Notes
kube-rbac-proxyand continue using the existingnamespace/metricsauthorization model./metricsauth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoringprometheus-k8scluster RBAC.