feat: support secret as a target #193
Conversation
jetstack-bot
added
dco-signoff: no
|
Hi @Jiawei0227. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
the
size/XXL
|
/ok-to-test /cc @SgtCoDFish @rudexi |
|
@Jiawei0227: GitHub didn't allow me to request PR reviews from the following users: rudexi. Note that only cert-manager members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Jiawei0227: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
|
@rudexi: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
|
Thanks @Jiawei0227 for rebasing this PR, could you dco signoff your commits & also add @rudexi as a co-author? |
jetstack-bot
added
dco-signoff: yes
Done. This CL is mostly a rewrite since the previous PR is completely un-rebaseable. But I am okay with co-authoring @rudexi since this PR is inspired by him |
Jiawei0227
force-pushed
the
secrets
branch
3 times, most recently
from
1710f91 to
00260c6
Compare
jetstack-bot
added
the
needs-rebase
jetstack-bot
removed
the
needs-rebase
|
/retest |
| # -- List of secrets trust-manager is allowed to read/write. Used when the secret target is set when creating | ||
| # a bundle. If the list is empty it means read/write access to all secrets. | ||
| authorizedSecrets: ["ca-bundle"] |
There was a problem hiding this comment.
suggestion: I'm not sure if this is the safest way to do this.
I have a few concerns:
- Having a default here feels wrong - since most clusters won't need to be able to read/write to secrets called
ca-bundle. I'd rather the default be that there's nothing extra which we have access to, so that users have to explicitly expand trust-manager's permissions. - Having an empty list confer permissions to everything is really confusing to me (the intuitive reading would be that an empty list means there are no allowed secrets at all)
- There doesn't seem to be an obvious way to allow no secrets, in the event that I don't want to use secrets at all.
I'd personally rather the default be "no secrets are authorized". How about something like the following?
secretTargets:
# -- If set to true, enable writing trust bundles to Kubernetes Secrets as a target
enabled: false
# -- A list of secret names which trust-manager will be permitted to read and write across all namespaces. These will be the only allowable Secrets that can be used as targets. Must be a non-empty list if secretTargets.enabled is true
authorizedSecrets: [] # NOTE: I originally wrote [""] here but [] is better
There was a problem hiding this comment.
What would be the difference between authorizedSecrets: [""] and authorizedSecrets: [] ?
There was a problem hiding this comment.
Whoops, that was a typo, my bad! I think the default should be authorizedSecrets: [].
If enabled is set to true, we should check that authorizedSecrets is a list with at least one valid secret name. "" wouldn't be a valid secret name.
There was a problem hiding this comment.
For resourceNames, an empty set means that everything is allowed
I was thinking https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources the resourceNames field in k8s and an empty list there infer permission to all.
However, I understand the concern here. But then the question is probably what option we will use to indicate "permission to all"? The problem is resourceNames does not allow wildcard matching (kubernetes/kubernetes#56582). I added an enabled field so that user have to explicitly enable it. wdyt?
There was a problem hiding this comment.
I think we need a separate config to enable RBAC to any secret. It seems scary to rely on a Helm list value to express this desire.
There was a problem hiding this comment.
okay, I add another option authorizedSecretsAll to indicate permission to all. And now empty list of authorizedSecrets means access to nothing
|
/retest |
| @@ -39,7 +39,7 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| EventuallyTimeout = "30s" | |||
| EventuallyTimeout = "90s" | |||
There was a problem hiding this comment.
question: Why are we bumping this? 30s seems like it should be plenty for this use case to me, but I'd happily bump if you've been running into problems
There was a problem hiding this comment.
I run this locally, if its the first time I bring up KIND cluster it will timeout. It took around 40s etc to finish all the testing in my local.
Inspired by cert-manager#108 Signed-off-by: Jiawei Wang <[email protected]>,Guillaume Ludinard <[email protected]>
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
| - "" | ||
| resources: | ||
| - "secrets" | ||
| verbs: ["create", "list", "watch"] |
There was a problem hiding this comment.
@SgtCoDFish shouldn't this also be part of the .Values.secretTargets.enabled section?
There was a problem hiding this comment.
We still by default grant trust-manager access to read ALL secret resources.
There was a problem hiding this comment.
I think we must conditionally watch secrets from the controller if we add a condition here. And that might be the reason behind this bug.
There was a problem hiding this comment.
Here is a WIP PR to fix this: #207. My Tuesday (tomorrow) is filled with meetings, so feel free to pick it up. My gut feeling says that this new feature needs more work....
There was a problem hiding this comment.
Yeah that's my bad... thought I checked the permissions and clearly wasn't thorough / careful enough in my efforts to move this forwards. Sorry.
There was a problem hiding this comment.
Thanks for confirming that this was not the intended behavior @SgtCoDFish.
Support #10
Add a new API Secret under taget to allow creating secret format CA certificates.
This is compatible with existing ConfigMap and can co-exist or exist alone.