Currently node and client keys are visible between CRDB clusters running in the same namespace.
This pull request adds a -cluster flag to logically name and partition the key-space. If the -cluster flag is not specified everything works as before.
Example:
/request-cert '-namespace=crdb' '-certs-dir=/cockroach-certs' '-type=client' '-user=root' '-symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' '-cluster=crdb-test'
2019/02/27 16:21:07 Looking up cert and key under secret crdb.crdb-test.client.root
W0227 16:21:07.014788 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
2019/02/27 16:21:07 Secret crdb.crdb-test.client.root not found, sending CSR
Sending create request: crdb.crdb-test.client.root for
Request sent, waiting for approval. To approve, run 'kubectl certificate approve crdb.crdb-test.client.root'
CSR approved, but no certificate in response. Waiting some more
request crdb.crdb-test.client.root Approved at 2019-02-27 16:21:09 +0000 UTC
reason: AutoApproved
message: Auto approving CockroachDB certificate after SubjectAccessReview.
2019/02/27 16:21:09 Storing cert and key under secret crdb.crdb-test.client.root
2019/02/27 16:21:09 Writing cert and key to local files
wrote key file: /cockroach-certs/client.root.key
wrote certificate file: /cockroach-certs/client.root.crt
symlinked CA certificate file: /cockroach-certs/ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Currently node and client keys are visible between CRDB clusters running in the same namespace.
This pull request adds a -cluster flag to logically name and partition the key-space. If the -cluster flag is not specified everything works as before.
Example:
This fixes issue #18