Closed vroldanbet closed 1 year ago
ecordell
commented
1 year ago I discarded using the let's encrypt issuer as it would be a bit of overkill for an internal service, and I imagine it wouldn't be possible to do ACME without published DNS records
I also don't think this is a big deal for kube use-cases in general, since we can stick the CA in the kubeconfig directly
vroldanbet
commented
1 year ago @ecordell
ProxyClient uses the configured CA to generate a client cert and generate a kubeconfig for it, then you can mount the kubeconfig secret directly and use it (or download it locally). You'd need to lock down access to that API, but that's also true of the cert manager apis.
This is a cool idea, are you thinking of a controller for building the kubeconfig used by the proxy, or to generate the kube config used by rakis, or both?
vroldanbet
commented
1 year ago @ecordell and I are discussing the various approaches to rolling this out in production for our cloud product, but for now, this should be good to go for the development environment.
Closes https://github.com/authzed/spicedb-kubeapi-proxy/issues/7
Until now we've been using Go code to generate certificates manually in our magefiles. This commit changes to get it somewhat closer to what we expect it to be like in a production environment, where we rely on cert-manager.
The cert-managers custom resources here added shall serve as reference for the production environments
Perhaps the tricky bit here has been retrieving the generated secrets with the purpose of creating the proxy's upstream kubeconfig. Alternatively, we could pass the arguments to the proxy directly and have it generate the kube config in memory, which would spare us some magefile code to do the plumbing.