Kuberos running in another Kubernetes cluster #42
Comments
|
This sounds like a bit of a tricky one. As you say, there's two ways to load CA data at the moment: either by reading them from the kubeconfig template file, or (in single cluster deployments) loading them from the service account. I have to admit I'm a little unfamiliar with Let's Encrypt in practice. Could you explain a little more around why you don't want to use the |
|
The thing is that letsencrypt certs are already trusted by the system (ie it's not self signed, example: https://letsencrypt.org/) so you don't need to give the |
|
We're on a internal network and connect to our cluster with |
|
@negz what do you think about a boolean flag to control that? |
|
@Miouge1 - What happens when you don't mount in a service account by modifying kuberos's pod spec to have Doing so removes the default service account from being mounted into kuberos at all, and the original intention of #36 was to have kuberos leave certificate-authority-data alone. |
|
Hi all, Just wanted to apologise that I haven't been very active in this conversation. It sounds like a problem worth solving, but I want to think a little more about how we solve it. Unfortunately I haven't had a lot of time for Kuberos these last few weeks, but I hope my schedule will clear up soon. |
|
@ripta thanks a lot for the context! That solved our issue. Adding that to the pod spec no longer auto-generates certificate-authority-data. |
Hi,
I run a single Kuberos instance for several Kubernetes clusters:
Both clusters have letsencrypt CA, so I don't prefer to not include any
certificate-authority-data.The thing is that by default Kuberos tries to be smart and adds the
/var/run/secrets/kubernetes.io/serviceaccountas acertificate-authority-databut that's not really what I'm after.As a work around I have added the letsencrypt ca in
certificate-authority-datais there a better way to address this? Maybe a flag--guess-ca?The text was updated successfully, but these errors were encountered: