clusterlink icon indicating copy to clipboard operation
clusterlink copied to clipboard
verified publisher icon clusterlink-net

Certificates should be stored as TLS secrets

Open elevran opened this issue 1 year ago • 1 comments

Currently all ClusterLink secrets are created as type Opaque:

$ kubectl get secret --namespace clusterlink-system
NAME              TYPE     DATA   AGE
cl-controlplane   Opaque   2      19h
cl-dataplane      Opaque   2      19h
cl-fabric         Opaque   1      19h
cl-peer           Opaque   1      19h

Typically, certificates (such as cl-peer) should be using Spec.SecretType: SecretTypeTLS. These have predefined fields for certificate and key.

Search for SecretTypeTLS in corev1 and the kubectl documentation.

The change should affect the clusterlink CLI and any manual deployment documentation (if present).

elevran avatar Apr 10 '24 06:04 elevran

the ROI on this is low: some risk, low reward (having predefined data fields in secrets and clearer secret type). Pushing out on fixing this to later with lower priority. Changes are needed in documentation and YAML templates (mostly adding type: kubernetes.io/tls and changing cert and key to tls.cert and tls.key in secrets. Mount paths need to change accordingly)

elevran avatar May 06 '24 14:05 elevran