xrstf
commented
10 months ago logical-cluster-admin-client-cert-for-kubeconfig is not affected the same way?
Closed embik closed 10 months ago
xrstf
commented
10 months ago logical-cluster-admin-client-cert-for-kubeconfig is not affected the same way?
embik
commented
10 months ago
logical-cluster-admin-client-cert-for-kubeconfigis not affected the same way?
The kubeconfig that uses that is referencing kcp - as in the root shard server - directly:
So kcp-server-client-issuer should be the correct issuer for that one (as it is, right now).
xrstf
commented
10 months ago /lgtm
kcp-ci-bot
commented
10 months ago LGTM label has been added. Git tree hash: cb38ffa9d539151b0f16c47c5d0bb07af9e9ccb7
xrstf
commented
10 months ago Aaaand my diagram is now already outdated..
embik
commented
10 months ago /approve
kcp-ci-bot
commented
10 months ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: embik
The full list of commands accepted by this bot can be found here.
The pull request process is described here
After PKI cleanups done in #56, we are starting to see the effects of incorrect CAs used for certain
Certificates. This is one of the cases:external-logical-cluster-admin-client-cert-for-kubeconfigis used in theexternal-logical-cluster-admin-kubeconfigSecret as client certificate to access the kcp-front-proxy: https://github.com/kcp-dev/helm-charts/blob/f808f2b7c88736142137caea36ffd83ebd2e6197/charts/kcp/templates/external-logical-cluster-admin-kubeconfig.yaml#L16But since the certificate is signed by
kcp-server-client-ca, the front proxy will reject requests with this certificate, as it's using thekcp-client-cato validate incoming client certificates:https://github.com/kcp-dev/helm-charts/blob/f808f2b7c88736142137caea36ffd83ebd2e6197/charts/kcp/templates/kcp-front-proxy.yaml#L334
This PR updates the
issuerRefon theCertificatein question so that it gets signed by the CA used by kcp-front-proxy, not the CA used by kcp(-server).