flavio
commented
3 years ago Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller
Closed flavio closed 11 hours ago
flavio
commented
3 years ago Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller
kkaempf
commented
3 years ago I always wonder why every project (like kucero for CaaSP) has to re-implement certificate handling. This should be built into Kubernetes.
fabriziosestito
commented
1 month ago Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller
We decided not to leverage https://github.com/open-policy-agent/cert-controller since it does not support zero-downtime CA rotation. Also, we will need to fork it to adapt it to our use case, as we configure policy webhooks dynamically. Finally, it does not fully support leader election due to this bug.
flavio
commented
11 hours ago Closing, all the mandatory tasks have been done.
Description
Our controller uses two different CA roots:
cert-manager, which generates the CRD webhook leaf certificatePolicyServerControllerreconciliation loop the first time a policy server is created, which is used to generate the policy servers' TLS certificate.There are a few problems with this approach:
cert-manager, see: kubewarden/kubewarden-controller#422cert-managerand our implementation on the PolicyServer side do not rotate the CA root (see https://github.com/cert-manager/cert-manager/issues/2478)Solution
We need to implement our certificate rotation logic inside the controller. Specifically, we need to:
CertControllerthat periodically checks if the certificates are expired and regenerates them using a lookahead interval. If a TLS certificate is expired we can re-generate it, and it will be picked up by the servers eventually. If the CA root is expired we need to regenerate all the leaf certificates and implement the logic needed to prevent downtime during this phase.Tasks