Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support client cert auth for agent/broker communication #1115

Open
qiujian16 opened this issue Jan 28, 2021 · 8 comments
Open

Support client cert auth for agent/broker communication #1115

qiujian16 opened this issue Jan 28, 2021 · 8 comments
Labels
confirmed For issues and PRs which we definitely want (disables the stale bot) enhancement New feature or request help wanted Looking for someone to work on this open-cluster-management Of interest to open-cluster-management/submariner-addon

Comments

@qiujian16
Copy link

What would you like to be added:
Today submariner agent is using service account token to talk to broker, and user will set the toke directly in operator's CR.

It will be more secure if we can also support other auth mechanism to broker, such as mtls. Maybe we should allow operator CR to reference a secret with kubeconfig and cert/key.

Why is this needed:
We can use other registration mechanism to create csr and rotate certificate, which avoids credential pass across clusters.
@qiujian16 qiujian16 added the enhancement New feature or request label Jan 28, 2021
@nyechiel nyechiel added the open-cluster-management Of interest to open-cluster-management/submariner-addon label Jan 28, 2021
@mangelajo
Copy link
Contributor

Can we have more details of how is this implemented? If it allows rotation, etc that'd be a benefit.

@qiujian16
Copy link
Author

what we did in open-cluster-management is that we will start a registration agent on the spoke, send csr to hub (broker), one the the hub approves the csr, the agent will use the client cert to generate secret containing kubeconfig that connects to hub.

And example is here https://github.com/qiujian16/addon-framework/blob/main/pkg/manager/controllers/registration/manifests/addon-registration-deployment.yaml.

on the spoke, we will start an agent https://github.com/qiujian16/addon-framework/blob/main/pkg/spoke/controllers/hubclientcert/controller.go like this to generate client cert and rotate the cert.

@stale
Copy link

stale bot commented May 1, 2021

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label May 1, 2021
@tpantelis
Copy link
Contributor

bump

@stale stale bot removed the wontfix This will not be worked on label May 1, 2021
@stale
Copy link

stale bot commented Jun 30, 2021

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jun 30, 2021
@stale stale bot closed this as completed Jul 7, 2021
@skitt
Copy link
Member

skitt commented Jul 8, 2021

This is still relevant.

@skitt skitt reopened this Jul 8, 2021
@stale stale bot removed the wontfix This will not be worked on label Jul 8, 2021
@skitt skitt added the confirmed For issues and PRs which we definitely want (disables the stale bot) label Jul 8, 2021
@dfarrell07
Copy link
Member

Maybe we should allow operator CR to reference a secret with kubeconfig and cert/key.

This part is done now, thanks to Stephen! 🥳

There's still more we could do, maybe @skitt can provide details.

@dfarrell07 dfarrell07 added the help wanted Looking for someone to work on this label Feb 8, 2022
@dfarrell07
Copy link
Member

This was discussed a lot in submariner-io/enhancements#102. We'd love to do it, but need contributor cycles. - PR scrub

@maayanf24 maayanf24 added this to Backlog Jul 2, 2024
@maayanf24 maayanf24 moved this to Backlog in Backlog Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed For issues and PRs which we definitely want (disables the stale bot) enhancement New feature or request help wanted Looking for someone to work on this open-cluster-management Of interest to open-cluster-management/submariner-addon
Projects
Backlog
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dfarrell07 @mangelajo @skitt @qiujian16 @nyechiel @tpantelis