enable certificate management in kubernetes clusters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
Fix Released
|
Undecided
|
Spyros Trigazis | ||
Queens |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Kubernetes has built-in functionality to manage TLS certificates:
https:/
Requests for certificate request signing are done via the kubernetes API, and the resulting certificates can be used to enable TLS communication between services and tools running inside the cluster.
To enable this in Magnum we need to generate a new cluster CA for this purpose, which will be used for internal cluster connections only and is not expected to be recognized by anything outside the cluster.
The alternative would be to reuse the cluster CA we already have to generate the client TLS certificates, but as the CA key is stored in barbican we cannot use it to get kubernetes to generate new certificates.
Changed in magnum: | |
assignee: | Ricardo Rocha (rocha-porto) → Spyros Trigazis (strigazi) |
Changed in magnum: | |
status: | In Progress → Fix Released |
The second part of this implementation is to make the new CA public certificate available to all pods in the cluster, the same way the svc account is also exposed.