Closed adrianludwin closed 4 years ago
/cc @rjbez17
Ryan, any concerns with this?
I think as a default its fine. I'd prefer/hope we maintain the option to configure HNC with a secret name where to find the cert to use (and therefore skip the self signed route). Leaving the use of cert manager open.
Personally we (as in Cray) wouldn't allow the self signed option in our clusters, but for development/getting started I think it's generally ok.
I've done quite a bit around certs within k8s so feel free to reach out @yiqigao217 if you need some help with this.
Thanks! Yup this would be a default, we'll still support cert-manager and other methods.
On Fri, Apr 17, 2020 at 6:49 PM Ryan Bezdicek notifications@github.com wrote:
I think as a default its fine. I'd prefer/hope we maintain the option to configure HNC with a secret name where to find the cert to use (and therefore skip the self signed route). Leaving the use of cert manager open.
Personally we (as in Cray) wouldn't allow the self signed option in our clusters, but for development/getting started I think it's generally ok.
I've done quite a bit around certs within k8s so feel free to reach out @yiqigao217 https://github.com/yiqigao217 if you need some help with this.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/multi-tenancy/issues/653#issuecomment-615496710, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE43PZFF6SV5327P2K4N3BTRNDMHHANCNFSM4MLCUNSQ .
/assign @yiqigao217
We've had some discussions at Google about HNC, and some of us were concerned by the runtime dependency on
cert-manager
. For example, we've already seen cases where different versions ofcert-manager
can break us - what happens if someone has the wrong version installed on their cluster?By contrast, Gatekeeper is a similar project to HNC, but has the optional ability to generate its own self-signed certs for its webhooks. We thought it would be nice to include this capability in HNC as well.
We had a chat with the
controller-runtime
folks about moving Gatekeeper's cert management there, but they're not really interested in maintaining it. For now, the best solution we can think of is simply to copy Gatekeeper's manager (which is a single code file, plus a test file) into HNC, and update it periodically with fixes. @yiqigao217 has already been working with Gatekeeper to get some (unrelated) fixes into their cert manager so she has a good understanding of how that code works.Hopefully this is an interim solution until we move that file to a proper library location, but in the meantime, we think this will make HNC easier to use in more environments.