Certs improv#54
Conversation
|
@bpradipt this is where I keep getting stuck
Now, you know the use case (OCP) and I am pretty sure trustee doesn't support reading secrets from other namespaces, so I don't understand why this should not be trusteeNamespace... Suppose an example app.yaml if I run I get |
Supposing a pod called hello-http-server is created:
we would have
kind: Secret
metadata:
name: sidecar-tls-hello-http-server
namespace: default
type: kubernetes.io/tls
data:
tls.crt: ...
tls.key: ...
But in the pod-coco.yaml we have
- env:
- name: TLS_CERT_URI
value: kbs:///default/sidecar-tls-hello-http-server/server-cert
- name: TLS_KEY_URI
value: kbs:///default/sidecar-tls-hello-http-server/server-key
- name: CLIENT_CA_URI
value: kbs:///default/sidecar-tls/client-ca
this doesn't make sense as applying the secret and adding it into kbs will create /default/sidecar-tls-hello-http/server/tls.crt not /default/.../server-cert.
Fix it with this commit.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
I'm assuming you are using the trustee-operator In this model the secret must live in the trustee namespace. Now, in The path prefix is the workload namespace, and it's a logical KBS repo path. It has nothing to do with which K8s namespace Trustee runs in. Trustee's "can't read secrets from other namespaces" constraint never comes into play, because no K8s Secret is being read at all. TL;DR: The upload path uses the workload namespace, so the skip-apply file's metadata.namespace must match it (namespace) to stay consistent with the TLS_CERT_URI in app-coco.yaml. Using In OCP, since the secrets comes from CRD config or vault, we'll have to think of a proper mechanism. This is in addition to the bug with sidecar secret which is incorrectly emitted as tls.crt/tls.key. |
|
makes sense, for now let's focus on this bug fix. Thanks! |
As per issue #51
Plus fix namespace error in generated trustee secret