search

radius-project / radius

Radius is a cloud-native, portable application platform that makes app development easier for teams building cloud-native apps.
https://radapp.io
Apache License 2.0
1.43k stars 87 forks source link

Update Radius secrets type to `kubernetes.io/tls` #7035

Open ytimocin opened 5 months ago

ytimocin commented 5 months ago

Area for Improvement

This is to improve our Helm charts by making the types of our cert secrets kubernetes.io/tls.

Observed behavior

There is no type in our secrets as of now and that makes the types of these secrets Opaque.

Desired behavior

These secrets are holding certificate details and can be typed as kubernetes.io/tls.

Proposed Fix

Add the type kubernetes.io/tls to the secrets.

rad Version

RELEASE VERSION BICEP COMMIT 0.29.0 v0.29.0 0.29.0 6abd7bfc3de0e748a2c34b721d95097afb6a2bba

Operating system

macOS, Apple Chip, Sonoma 14.2.1

Additional context

image

Would you like to support us?

AB#10890

radius-triage-bot[bot] commented 5 months ago

:wave: @ytimocin Thanks for filing this issue.

A project maintainer will review this issue and get back to you soon.

We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.

For more information on our triage process please visit our triage overview

youngbupark commented 5 months ago

We can add breakingchange section in the next release note for upgrade scenario. Making it right earlier is better than later. cc/ @AaronCrawfis @rynowak

ytimocin commented 5 months ago

We can add breakingchange section in the next release note for upgrade scenario. Making it right earlier is better than later. cc/ @AaronCrawfis @rynowak

Sounds good. I can create a PR for this once we have the consensus.

rynowak commented 5 months ago

Does this behave differently?

ytimocin commented 5 months ago

Does this behave differently?

In terms of behavior, kubernetes.io/tls secrets are automatically used by Kubernetes components that manage TLS communications. But, I think, in our case, because we pass the secret to the caBundle, it doesn't matter if the secret is of type Opaque or kubernetes.io/tls. Because Kubernetes components will automatically look at this property and will not do anything different if the type of the Secret is Opaque or something else. Please correct me if I am wrong @youngbupark.

For Radius users; if there is an existing installation and if the user does reinstall, reinstall can't find the Opaque secret and throws an error. So it is a breaking change.

I'd agree with @youngbupark that we can do it sooner rather than later.

radius-triage-bot[bot] commented 5 months ago

:+1: We've reviewed this issue and have agreed to add it to our backlog. Please subscribe to this issue for notifications, we'll provide updates when we pick it up.

We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.

For more information on our triage process please visit our triage overview