redhat-cop / cert-operator Goto Github PK

We would like to explore how we might use this project as a wrapper around Jetstack Cert Manager. This project is gaining a lot of traction, even getting PKI vendors to contribute plugins. what they don't have is support for OpenShift, specifically routes.

Some dependency has downgraded
"contrib.go.opencensus.io/exporter/ocagent" breaking cert-operator.

Description of Issue

After go-config v0.7.0, our operator breaks on startup citing that there is no provider configured.

How to Reproduce

Update the following constraint in Gopkg.toml from 0.7.0 to any later release:

[[constraint]]
  name = "github.com/micro/go-config"
  version = "0.7.0"

Install dependencies and start operator:

dep ensure
operator-sdk up local

Expected result

Operator starts successfully

Actual Result

panic: There was a problem detecting which provider to configure. 
	Provider kind `` is invalid. 
{"provider":{"kind":""},"general":{"annotations":{"status":"","status-reason":"","expiry":"","format":""}}}

goroutine 1 [running]:
github.com/redhat-cop/cert-operator/pkg/stub.NewHandler(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/home/esauer/go/src/github.com/redhat-cop/cert-operator/pkg/stub/handler.go:32 +0x30e
main.main()
	/home/esauer/go/src/github.com/redhat-cop/cert-operator/cmd/cert-operator/main.go:33 +0x177
exit status 2
Error: failed to run operator locally: exit status 1

Due to bug: asim/go-config#99, the configuration will turn up empty and will cause failure at startup if the file is missing.

When configuration for the operator is incomplete or missing the operator still starts successfully and partially processes the annotation into a broken state.

This is a request from a customer.
venafi apparently supports the ability to pas additional metadata when requesting a certificate (I can't find the official API documentation).
This metadata will be used to associate the certificate to the right team.

We should use travis to run oc cluster up, then kick off the e2e tests. Should be pretty straightforward.

Before updating a route we should validate the certificate is trusted by the ca

Secrets type cannot be change when a cert is requested on a passthrough, if a secret already exist and isn't of type TLS. The service secret cannot be set. The cert operator will fail and will retry in loop to set a new cert on the service.

The solution that will be applied is to check for the secret type if it exist and if it's not of type TLS mark the service cert request as failed.

In order to help with organizations looking to adopt the operator, want to provide a good method for them to get it built and deployed. To help with this, we want to build a sample deployment pipeline that includes:

• A Jenkinsfile that handles the go build and image build of the operator
• A template to manage the pipeline build
• A template to manage deployment to openshift clusters
• An Applier inventory to manage the lifecycle of the resources.

TLSTerminationType may be null on a route. There should a null check on termination before checking for passthrough type. If the termination type is null, it should be defaulted to Edge.

Hey, this project seems very interesting.

One question, is this operator only for Apps, or also for cluster certs, such as the Console or the routers?

It would bee very useful to have an operator to automatically manage cluster certs ;).

Fail passthrough route as certificate is not supported. The current behavior is to request a certificate for passthrough route, try to set it and fail. This possibly would result in a loop.

Hi!

I am testing 0.2.0 version and as I can see operator produce just regular secret.
Kubernetes has a standard secret type for TLS, I believe the operator should produce kubernetes.io/tls secrets.

how to create TLS secret manually:

kubectl create secret tls cluster3-certificate --cert=./server-cert.pem --key=./server-key.pem

The cert-operator can no longer be build under the latest version of the operator-sdk. Currently it is being build against master.
This issue is to upgrade the cert-operator to use the latest libraries needed by the latest version of the operator-sdk.

Trying to build this into an image and its failing due to : github.com/redhat-cop/cert-operator/pkg/config/config.go:75:3: undefined: memory.WithData. Seems like WithData is no longer a valid method in the memory package.

it should be possible to be able to define team-level credential for connection to CAs as opposed to cluster level one.
This allows better multi-tenancy and accountability on the CAs side.

Operator logs should be in JSON format or have the option to be properly parsed by Sumologic.

Hostnames/common-name cannot be over 64 characters (see RFC 3280 page 103). We should provide a warning when requesting a CSR over 64 characters

Follwing this operator as an example, we should swap out the default logger for logrus, as it gives us better support for log levels.

these certificates can then be used for mutual auth.

Rather than baking a PEM file into our main docker image to add a trusted certificate, we should be mounting those into the container at runtime, and use a start script to run the update-ca-certificates command.

We recently had something break, and did not know it did. I would like to see an e2e test developed for the venafi provider. It looks like its possible to use a venafi cloud account to test this independently.

Latest change introduced by #42 started using 4.1.0 version of the Venafi package. However, earlier fix #41 locked the version to 3.18.4 .

In the README has the following step:
oc apply -f deploy/deployment.yaml

However, there is no deployment.yaml file. Maybe, this step should be oc apply -f deploy/operator.yaml?

The deployment.yaml deleted by issue#26 so the README need to update.