Is it possible to supply a custom certificate during installation?

OpenUnison / openunison-k8s-login-oidc

Kubernetes login portal for both kubectl and the dashboard using OpenID Connect. Use groups from your assertion in RBAC policies to control access to your cluster. Supports impersonation and OpenID Connect integration with your API server.

https://www.tremolosecurity.com/kubernetes/

Apache License 2.0

12 stars 5 forks source link

Is it possible to supply a custom certificate during installation? #22

Closed dkulchinsky closed 3 years ago

dkulchinsky commented 3 years ago

I've reviewed the steps described here https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#how-do-i-change-openunisons-certificates to replace the self-signed certificate with a custom one, but is it possible to do it as part of the installation to avoid extra steps?

specifically, we're using the helm chart to deploy this orchestra plugin.

Thanks!

dkulchinsky commented 3 years ago

To be more specific, we're using cert-manager (https://cert-manager.io/) to Issue Let's Encrypt certificates, so cert-manager will populate the ou-tls-certificate secret with the Certs from Let's Encrypt, but how to ensure the operator is not going to override it?

maybe we need to remove this section from the OpenUnison manifest?

        - create_data:
            ca_cert: true
            key_size: 2048
            server_name: {{ .Values.network.openunison_host }}
            sign_by_k8s_ca: false
            subject_alternative_names:
              - {{ .Values.network.dashboard_host }}
              {{ if eq .Values.enable_impersonation true }}
              - {{ .Values.network.api_server_host }}
              {{ end }} 
          import_into_ks: certificate
          name: unison-ca
          tls_secret_name: ou-tls-certificate

mlbiam commented 3 years ago

this is a reasonable request.

maybe we need to remove this section from the OpenUnison manifest?

Precisely

dkulchinsky commented 3 years ago

great 👍 I'll try that, but I think we're also missing the ability to add an annotation to the ingress:

cert-manager.io/issuer: "letsencrypt-staging"

if I update the ingress manually, will the operator change it back?

mlbiam commented 3 years ago

if I update the ingress manually, will the operator change it back?

No. The other option is to create a Certificate object so you don't need to add the annotation

dkulchinsky commented 3 years ago

Just managed to glue this together 😄

Removed the ou-tls-certificate create_data block from orchestra
added the cert-manager annotation to the ingress

I guess my only ask is to be able to add custom annotations to the generated ingress resource 🙏

This method is preferred because it ensures cert-manager keeps track of all the ingresses and updates them accordingly.

dkulchinsky commented 3 years ago

I worked around point (2) above by creating a cert-manager Certificate resource that populates it in a secret that the Ingress then consumes, this seems to work well.

mlbiam commented 3 years ago

Our next release of the operator supports adding annotations to the ingress definition. we'll also support disabling the creation of ou-tls-certificate

dkulchinsky commented 3 years ago

ohh, wonderful! can't wait for the next release 😄

mlbiam commented 3 years ago

Annotations are now supported on the Ingress from the Helm chart