use HTTPS on ignition download from ignition server (FedRamp reqs for encrypted traffic)

openshift / hypershift

Hyperscale OpenShift - clusters with hosted control planes

https://hypershift-docs.netlify.app

Apache License 2.0

434 stars 319 forks source link

use HTTPS on ignition download from ignition server (FedRamp reqs for encrypted traffic) #354

Closed relyt0925 closed 3 years ago

relyt0925 commented 3 years ago

since this traffic contains customer certs we need the traffic to be encrypted on the download from the pod that is ran: right now it uses the http endpoint

relyt0925 commented 3 years ago

One potential solution to discuss: Let's use a headless service for the machine config pod: Then we can sign the cert with a wildcard on the headless service which will allow us to properly do TLS downloads.

Headless service domain format is PODID.HEADLESS_SERVICE_NAME.NAMESPACE.svc.cluster.local

relyt0925 commented 3 years ago

Current strategy: have ignition bootstrapper run over localhost and update configs all local to the pod instead of having to go over the network

relyt0925 commented 3 years ago

General code path is here: https://github.com/openshift/hypershift/blob/main/ignition-server/controllers/machineconfigserver_ignitionprovider.go#L64

relyt0925 commented 3 years ago

example ibm cloud node pool

apiVersion: hypershift.openshift.io/v1alpha1
kind: NodePool
metadata:
  name: "tyler21-pool1"
  namespace: master
  labels:
    clusterid: "tyler21"
spec:
  clusterName: "tyler21"
  nodeCount: 2
  nodePoolManagement:
    upgradeType: Replace
    recreate:
      strategy: OnDelete
  platform:
    type: IBMCloud
  release:
    image: registry.ng.bluemix.net/armada-master/ocp-release:4.8.0-fc.8-x86_64

SANJEEV-Choubey commented 3 years ago

@relyt0925 I am working on this task, Work is in progress

ironcladlou commented 3 years ago

Being tracked here: https://issues.redhat.com/browse/HOSTEDCP-197