Openshift service certificates #1712
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shtripat
reviewed
Aug 8, 2023
jiuker
requested changes
Aug 11, 2023
shtripat
reviewed
Aug 11, 2023
pjuarezd
force-pushed
the
openshift-service-certificates
branch
from
d5b0b22
to
84e39ad
Compare
- Allow Operator to be installed on it's own namespace in OperatorHub Fix Openshift test: * Allow select Openshift version * Load Operator image from local build instead of remote registry * Only download operator-sdk if not existing in local Signed-off-by: pjuarezd <[email protected]>
pjuarezd
force-pushed
the
openshift-service-certificates
branch
from
68eee97
to
437416b
Compare
shtripat
previously approved these changes
Aug 21, 2023
Signed-off-by: pjuarezd <[email protected]>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support for TLS Certificates issued by service-ca in Openshift
About Service CA Certificates
Service-ca is the Operator that signs certificates for services TLS traffic, the service CA expiration is 26 months and is automatically refreshed when there is less than 13 months validity left.
Service-ca certificates differentiates from certificates generated from a CertificateSigningRequest (CSR) because the CSR in Openshift issues certificates using the
openshift-kube-controller-managerOperator, this operator is a control plane certificate, and rotate every 30 days.Additionally to the expiration, the recommended way to secure traffic in Openshift is using Service certificates.
Some of the benefits are:
openshift-service-ca.crtunder the same namespace.Scope
This PR covers the Services created for Minio Operator:
consoleandsts. A next PR will cover the life cycle of certificates for the tenant and KES.The certificate generation using service-ca is true only for Openshift, all of enabled only when the flag env variable
MINIO_OPERATOR_RUNTIME=OpenShiftis set, otherwise Operator keeps the previous behavior of generate internal certificates using CSR'sOther enhancements for Openshift
minio-operator, before was mandatory to be installed in theopenshift-operatorsnamespace.Fix openshift tests