Closed embik closed 10 months ago
logical-cluster-admin-client-cert-for-kubeconfig
is not affected the same way?
logical-cluster-admin-client-cert-for-kubeconfig
is not affected the same way?
The kubeconfig that uses that is referencing kcp - as in the root shard server - directly:
So kcp-server-client-issuer
should be the correct issuer for that one (as it is, right now).
/lgtm
LGTM label has been added.
Aaaand my diagram is now already outdated..
/approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: embik
The full list of commands accepted by this bot can be found here.
The pull request process is described here
After PKI cleanups done in #56, we are starting to see the effects of incorrect CAs used for certain
Certificates
. This is one of the cases:external-logical-cluster-admin-client-cert-for-kubeconfig
is used in theexternal-logical-cluster-admin-kubeconfig
Secret as client certificate to access the kcp-front-proxy: https://github.com/kcp-dev/helm-charts/blob/f808f2b7c88736142137caea36ffd83ebd2e6197/charts/kcp/templates/external-logical-cluster-admin-kubeconfig.yaml#L16But since the certificate is signed by
kcp-server-client-ca
, the front proxy will reject requests with this certificate, as it's using thekcp-client-ca
to validate incoming client certificates:https://github.com/kcp-dev/helm-charts/blob/f808f2b7c88736142137caea36ffd83ebd2e6197/charts/kcp/templates/kcp-front-proxy.yaml#L334
This PR updates the
issuerRef
on theCertificate
in question so that it gets signed by the CA used by kcp-front-proxy, not the CA used by kcp(-server).