search

submariner-io / submariner

Networking component for interconnecting Pods and Services across Kubernetes clusters.
https://submariner.io
Apache License 2.0
2.41k stars 190 forks source link

Support client cert auth for agent/broker communication #1115

Open qiujian16 opened 3 years ago

qiujian16 commented 3 years ago

What would you like to be added: Today submariner agent is using service account token to talk to broker, and user will set the toke directly in operator's CR.

It will be more secure if we can also support other auth mechanism to broker, such as mtls. Maybe we should allow operator CR to reference a secret with kubeconfig and cert/key.

Why is this needed: We can use other registration mechanism to create csr and rotate certificate, which avoids credential pass across clusters.

mangelajo commented 3 years ago

Can we have more details of how is this implemented? If it allows rotation, etc that'd be a benefit.

qiujian16 commented 3 years ago

what we did in open-cluster-management is that we will start a registration agent on the spoke, send csr to hub (broker), one the the hub approves the csr, the agent will use the client cert to generate secret containing kubeconfig that connects to hub.

And example is here https://github.com/qiujian16/addon-framework/blob/main/pkg/manager/controllers/registration/manifests/addon-registration-deployment.yaml.

on the spoke, we will start an agent https://github.com/qiujian16/addon-framework/blob/main/pkg/spoke/controllers/hubclientcert/controller.go like this to generate client cert and rotate the cert.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

tpantelis commented 3 years ago

bump

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

skitt commented 3 years ago

This is still relevant.

dfarrell07 commented 2 years ago

Maybe we should allow operator CR to reference a secret with kubeconfig and cert/key.

This part is done now, thanks to Stephen! :partying_face:

There's still more we could do, maybe @skitt can provide details.

dfarrell07 commented 2 years ago

This was discussed a lot in https://github.com/submariner-io/enhancements/pull/102. We'd love to do it, but need contributor cycles. - PR scrub