Comments (7)
@hawksight I think #58 would solve the multi-tenant use cases much better. It is a feature I would love to see implemented. We already use the referenced Openshift feature a lot to inject the cluster CA into configmaps. It would represent a more pull-based workflow, as opposed to the push-based approach supported by trust-manager.
I don't think we should support wildcards in the namespace selector as it would increase the complexity of controller code. To select all namespaces, a user should use the empty selector IMO:
spec:
target:
namespaceSelector: {}
Similar to how you configure networkpolicies, ref. https://kubernetes.io/docs/concepts/services-networking/network-policies/#allow-all-ingress-traffic
Also Kubernetes injects a label on all namespaces with the namespace name. So if we are not going for wildcard support, the matchNames
is not really required.
kind: Namespace
apiVersion: v1
metadata:
name: egb-test-cert
labels:
kubernetes.io/metadata.name: egb-test-cert
from trust-manager.
So this change basically only means, a user would need to specify the spec.target.namespaceSelector field with {}, rather than omitting the key which can be done at the moment?
Yes, I consider this change to be just making the namespaceSelector
a required field. So a user who wants to sync to all namespaces has to configure this explicitly.
from trust-manager.
Yeah I guess that'd make sense! This is something I assume we'd change in v1alpha2 or some other new API version. I'll add to the milestone!
I have a couple of other suggestions for a new API version, so if you are ready for it, I can start on the job. I just finished introducing a new API version in https://github.com/cybozu-go/accurate, so my mind is full of experiences.
from trust-manager.
@SgtCoDFish I think it could make sense to add this to the v1 milestone.
from trust-manager.
Yeah I guess that'd make sense! This is something I assume we'd change in v1alpha2 or some other new API version. I'll add to the milestone!
from trust-manager.
The use case certainly swayed me here, but I would like to think about the usability element. Thinking of cert-manager Certificate
spec, there are "default" values that often people want to change but cannot (easily). It might well be easier in the long run to have a configurable default that allows for easier roll out in many use cases.
So in the example above, what if you are not a multi tenant cluster?
What if you just want the current default behaviour to sync everywhere?
Currently that would involve:
spec:
target:
namespaceSelector:
matchLabels:
key: value
Plus labelling all the applicable namespaces. (Which could be many) k label ns test key=value
.
That seems like a potential chore for people, so I would like to try and make it easier for non multi-tenant environments.
Perhaps a good start would be to have a namespace list option along with labels? Similar to CertificateRequestPolicies
FIELDS:
matchLabels <map[string]string>
MatchLabels is the set of Namespace labels that select on
CertificateRequests which have been created in a Namespace matching the
selector.
matchNames <[]string>
MatchNames are the set of Namespace names that select on CertificateRequests
that have been created in a matching Namespace. Accepts wildcards "*".
Something like:
spec:
target:
namespaceSelector:
matchNames: [*]
This negates the need for namespace labelling so it is less work to implement at least.
A follow on might be that a default matchLabels
or matchNames
value could be supplied at installation of trust-manager? (not sure how this looks) So the idea being you can choose a default value to apply when no field is supplied on each resource. (Yes this sounds like Kyverno or OPA equivalent thing). Also unsure how that plays with the required
part.
I'm also wondering if the mutli-tenant scenario actually plays better to the future Bundle
(namespaced) resource as opposed to the ClusterBundle
(cluster wide) resource we currently have?
- Bundle -> has to be scoped upwards to go beyond namespace?
- ClusterBundle -> Has to be scoped downwards to be applied successfully.
I do agree that with such an important role to play we do need to think of the implications of CA's being presented across a cluster.
from trust-manager.
This is probably a case I should have tried before I commented. @erikgb {}
works just as well, good example.
So currently this works:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: debian-ca-bundle
spec:
sources:
- useDefaultCAs: true
target:
configMap:
key: "ca-certificates.crt"
namespaceSelector: {}
Example output to all namesapces:
> k get configmap -A -l trust.cert-manager.io/bundle=debian-ca-bundle
NAMESPACE NAME DATA AGE
app-appset-dev-15 debian-ca-bundle 1 99s
app-team-1 debian-ca-bundle 1 100s
app-team-2 debian-ca-bundle 1 100s
app-team-3 debian-ca-bundle 1 99s
default debian-ca-bundle 1 100s
demos debian-ca-bundle 1 100s
development debian-ca-bundle 1 99s
httpbin debian-ca-bundle 1 99s
ingress-nginx debian-ca-bundle 1 100s
istio-system debian-ca-bundle 1 100s
jetstack-secure debian-ca-bundle 1 100s
kube-node-lease debian-ca-bundle 1 100s
kube-public debian-ca-bundle 1 100s
kube-system debian-ca-bundle 1 100s
staging debian-ca-bundle 1 100s
test debian-ca-bundle 1 100s
venafi debian-ca-bundle 1 100s
Which works just as well as not specifying the key currently:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: debian-ca-bundle
spec:
sources:
- useDefaultCAs: true
target:
configMap:
key: "ca-certificates.crt"
So this change basically only means, a user would need to specify the spec.target.namespaceSelector
field with {}
, rather than omitting the key which can be done at the moment? if it remains this way then I can probably retract all my previous words.
I guess the objective here is that the trust-manager user of the Bundle
/ ClusterBundle
resource is forced to make this choice at creation time that it will in fact target all namespaces (when using {}
).
from trust-manager.
Related Issues (20)
- Issue with CRDs when having trust-manager as chart dependency
- No flag to set structured logging format, e.g. JSON? HOT 2
- Using `trust-manager` for generating keystores HOT 5
- Evaluate trust namespace value as template
- Init Container cert-manager-package-debian Helm Chart should allow resource requests and limits HOT 1
- Bundle generating empty truststore.p12 when no password is provided HOT 2
- Allow all resources to be namespaced
- trust-manager deduplication doesnt work HOT 12
- Add support to s390x arch HOT 9
- Add support for kubectl installation HOT 3
- Add matchExpressions to Bundle's spec.target.namespaceSelector HOT 3
- Avoid multiple decode/encode of certificates HOT 6
- Provide deterministic bundle HOT 5
- Wrong labels in topologySpreadConstraints example in the Helm chart values
- Chart is not allowing to pass Certificate Issuer name through value.yaml
- Document a policy around immutable image tags HOT 1
- Support RSA Keys HOT 3
- Helm chart support dual stack clusters
- Allow to specify admission webhooks CA from Bundle HOT 3
- Empty Target field in kubectl get bundle HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trust-manager.