Closed flavio closed 11 hours ago
Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller
I always wonder why every project (like kucero for CaaSP) has to re-implement certificate handling. This should be built into Kubernetes.
Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller
We decided not to leverage https://github.com/open-policy-agent/cert-controller since it does not support zero-downtime CA rotation. Also, we will need to fork it to adapt it to our use case, as we configure policy webhooks dynamically. Finally, it does not fully support leader election due to this bug.
Closing, all the mandatory tasks have been done.
Description
Our controller uses two different CA roots:
cert-manager
, which generates the CRD webhook leaf certificatePolicyServerController
reconciliation loop the first time a policy server is created, which is used to generate the policy servers' TLS certificate.There are a few problems with this approach:
cert-manager
, see: kubewarden/kubewarden-controller#422cert-manager
and our implementation on the PolicyServer side do not rotate the CA root (see https://github.com/cert-manager/cert-manager/issues/2478)Solution
We need to implement our certificate rotation logic inside the controller. Specifically, we need to:
CertController
that periodically checks if the certificates are expired and regenerates them using a lookahead interval. If a TLS certificate is expired we can re-generate it, and it will be picked up by the servers eventually. If the CA root is expired we need to regenerate all the leaf certificates and implement the logic needed to prevent downtime during this phase.Tasks