search

kubernetes-retired / multi-tenancy

A working place for multi-tenancy related proposals and prototypes.
Apache License 2.0
955 stars 173 forks source link

HNC: let HNC run without cert-manager #653

Closed adrianludwin closed 4 years ago

adrianludwin commented 4 years ago

We've had some discussions at Google about HNC, and some of us were concerned by the runtime dependency on cert-manager. For example, we've already seen cases where different versions of cert-manager can break us - what happens if someone has the wrong version installed on their cluster?

By contrast, Gatekeeper is a similar project to HNC, but has the optional ability to generate its own self-signed certs for its webhooks. We thought it would be nice to include this capability in HNC as well.

We had a chat with the controller-runtime folks about moving Gatekeeper's cert management there, but they're not really interested in maintaining it. For now, the best solution we can think of is simply to copy Gatekeeper's manager (which is a single code file, plus a test file) into HNC, and update it periodically with fixes. @yiqigao217 has already been working with Gatekeeper to get some (unrelated) fixes into their cert manager so she has a good understanding of how that code works.

Hopefully this is an interim solution until we move that file to a proper library location, but in the meantime, we think this will make HNC easier to use in more environments.

adrianludwin commented 4 years ago

/cc @rjbez17

Ryan, any concerns with this?

rjbez17 commented 4 years ago

I think as a default its fine. I'd prefer/hope we maintain the option to configure HNC with a secret name where to find the cert to use (and therefore skip the self signed route). Leaving the use of cert manager open.

Personally we (as in Cray) wouldn't allow the self signed option in our clusters, but for development/getting started I think it's generally ok.

I've done quite a bit around certs within k8s so feel free to reach out @yiqigao217 if you need some help with this.

adrianludwin commented 4 years ago

Thanks! Yup this would be a default, we'll still support cert-manager and other methods.

On Fri, Apr 17, 2020 at 6:49 PM Ryan Bezdicek notifications@github.com wrote:

I think as a default its fine. I'd prefer/hope we maintain the option to configure HNC with a secret name where to find the cert to use (and therefore skip the self signed route). Leaving the use of cert manager open.

Personally we (as in Cray) wouldn't allow the self signed option in our clusters, but for development/getting started I think it's generally ok.

I've done quite a bit around certs within k8s so feel free to reach out @yiqigao217 https://github.com/yiqigao217 if you need some help with this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/multi-tenancy/issues/653#issuecomment-615496710, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE43PZFF6SV5327P2K4N3BTRNDMHHANCNFSM4MLCUNSQ .

adrianludwin commented 4 years ago

/assign @yiqigao217