Open tobiscr opened 8 months ago
This is complicated topic, and we intentionally decided to go such way to reuse such kyma-gateway certificate in application-connector Istio gateway in order to enable MTL. And this approach was agreed by Goats and PB as far as I remember.
If they want us to do stop using that that might have a lot of consequences, and would require us to migrate ALL Kyma clusters to new certificates, and ALL connected application might also be affected. It is a big risk and I don't want to start working on this task without some research.
Possible solutions:
1) Workaround: would be now to not allow application connection module to run without api-gateway module enabled.
2) Remove coupling from both modules: Extract this gateway certificate from api-gateway module and put it into Kyma separately.
3) Separate certificate: Issue new certificate for application connector, and migrate all Kyma workloads (seems crazy task to me)
@pbochynski : any objections to establish the API-Gateway module as mandatory pre-requisite for the Application-Connector module?
Cleaner approach is to use a dedicated certificate, but the effort for the migration is quite high and we have to verify how it collaborates with the Compass Directory. This will require additional analysis.
A diagram is required showing the different scenarios:
Fix will require to modularise the Compass Runtime Agent (move to ACM). Currently, the issue is not solvable in a meaningful way.
This incident is blocked by #114
See also #90 - could be related to this change!
We agreed to split this task in two phases:
Phase 1:
Error
state when Istio is missing. It has to switch into the state Warning
and fire an expressive error-message which clearly indicates that Istio is missingPhase 2:
Identified solution COULD be related to https://github.com/kyma-project/compass-manager/issues/188 (has to be checked if Compass Runtime Agent is really using API-gateway module, respectively the kyma-gateway
).
Description
The application connector is currently reusing the certificate from the default gateway which leads to a tight coupling between the application connector and the api-gateway module.
As we have no mandatory modules in Kyma anymore, such coupling is not allowed and can lead to operational incidents if customers are not using the ISTIO / api-gateway modules from Kyma.
This is a high risk in regards to our operational robustness and we have to remove this dependency asap.
See example manifest from
application-connector
gateway and the used certificate secret:We have to agree on a different mechanism and avoid to use the default-gateway certificate in the
application-connector
module:application-connector-gateway-certificate
) and no longer use the one from theapi-gateway
Options for solving this requirement is:
cert-manager
for creating our own certificate (this option needs to be verified and feasibility confirmed)AC:
Reason No dependencies to other modules as it's colliding with the technical agreements we made for Kyma modules.