redhat-cop / cert-operator Goto Github PK
View Code? Open in Web Editor NEWAn OpenShift controller using the Operator SDK for managing TLS certficate lifecycle
An OpenShift controller using the Operator SDK for managing TLS certficate lifecycle
We would like to explore how we might use this project as a wrapper around Jetstack Cert Manager. This project is gaining a lot of traction, even getting PKI vendors to contribute plugins. what they don't have is support for OpenShift, specifically routes.
Some dependency has downgraded
"contrib.go.opencensus.io/exporter/ocagent" breaking cert-operator.
After go-config v0.7.0, our operator breaks on startup citing that there is no provider configured.
Update the following constraint in Gopkg.toml
from 0.7.0
to any later release:
[[constraint]]
name = "github.com/micro/go-config"
version = "0.7.0"
Install dependencies and start operator:
dep ensure
operator-sdk up local
Operator starts successfully
panic: There was a problem detecting which provider to configure.
Provider kind `` is invalid.
{"provider":{"kind":""},"general":{"annotations":{"status":"","status-reason":"","expiry":"","format":""}}}
goroutine 1 [running]:
github.com/redhat-cop/cert-operator/pkg/stub.NewHandler(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/esauer/go/src/github.com/redhat-cop/cert-operator/pkg/stub/handler.go:32 +0x30e
main.main()
/home/esauer/go/src/github.com/redhat-cop/cert-operator/cmd/cert-operator/main.go:33 +0x177
exit status 2
Error: failed to run operator locally: exit status 1
Due to bug: asim/go-config#99, the configuration will turn up empty and will cause failure at startup if the file is missing.
When configuration for the operator is incomplete or missing the operator still starts successfully and partially processes the annotation into a broken state.
This is a request from a customer.
venafi apparently supports the ability to pas additional metadata when requesting a certificate (I can't find the official API documentation).
This metadata will be used to associate the certificate to the right team.
We should use travis to run oc cluster up
, then kick off the e2e tests. Should be pretty straightforward.
Before updating a route we should validate the certificate is trusted by the ca
Secrets type cannot be change when a cert is requested on a passthrough, if a secret already exist and isn't of type TLS. The service secret cannot be set. The cert operator will fail and will retry in loop to set a new cert on the service.
The solution that will be applied is to check for the secret type if it exist and if it's not of type TLS mark the service cert request as failed.
In order to help with organizations looking to adopt the operator, want to provide a good method for them to get it built and deployed. To help with this, we want to build a sample deployment pipeline that includes:
TLSTerminationType may be null on a route. There should a null check on termination before checking for passthrough type. If the termination type is null, it should be defaulted to Edge.
Hey, this project seems very interesting.
One question, is this operator only for Apps, or also for cluster certs, such as the Console or the routers?
It would bee very useful to have an operator to automatically manage cluster certs ;).
Fail passthrough route as certificate is not supported. The current behavior is to request a certificate for passthrough route, try to set it and fail. This possibly would result in a loop.
Hi!
I am testing 0.2.0 version and as I can see operator produce just regular secret.
Kubernetes has a standard secret type for TLS, I believe the operator should produce kubernetes.io/tls
secrets.
how to create TLS secret manually:
kubectl create secret tls cluster3-certificate --cert=./server-cert.pem --key=./server-key.pem
The cert-operator can no longer be build under the latest version of the operator-sdk. Currently it is being build against master.
This issue is to upgrade the cert-operator to use the latest libraries needed by the latest version of the operator-sdk.
Trying to build this into an image and its failing due to : github.com/redhat-cop/cert-operator/pkg/config/config.go:75:3: undefined: memory.WithData. Seems like WithData is no longer a valid method in the memory package.
it should be possible to be able to define team-level credential for connection to CAs as opposed to cluster level one.
This allows better multi-tenancy and accountability on the CAs side.
Operator logs should be in JSON format or have the option to be properly parsed by Sumologic.
Hostnames/common-name cannot be over 64 characters (see RFC 3280 page 103). We should provide a warning when requesting a CSR over 64 characters
Follwing this operator as an example, we should swap out the default logger for logrus, as it gives us better support for log levels.
these certificates can then be used for mutual auth.
Rather than baking a PEM file into our main docker image to add a trusted certificate, we should be mounting those into the container at runtime, and use a start script to run the update-ca-certificates
command.
We recently had something break, and did not know it did. I would like to see an e2e test developed for the venafi provider. It looks like its possible to use a venafi cloud account to test this independently.
In the README has the following step:
oc apply -f deploy/deployment.yaml
However, there is no deployment.yaml file. Maybe, this step should be oc apply -f deploy/operator.yaml?
The deployment.yaml deleted by issue#26 so the README need to update.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.