crc icon indicating copy to clipboard operation
crc copied to clipboard
verified publisher icon crc-org

Feature request: command for exporting router CA certificate

Open kadel opened this issue 4 years ago • 9 comments

To make some things work properly on CRC (like CRW) It is required to router CA certificate to my system.

I currently to do it by running oc -n openshift-ingress-operator get secret router-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.crt. But this one-liner works only on linux and mac.

It would be nice if crc comes with a command that would extract the router CA so users can add it to their systems

kadel avatar Oct 27 '21 12:10 kadel

This certificate is not static and changes between releases. It would be preferred to provide your own CA certificate, right?

gbraad avatar Oct 27 '21 12:10 gbraad

It would be preferred to provide your own CA certificate, right?

But than that certificate would have to be provided every time the cluster is deleted (after crc delete, crc start) or it could be made persistent somehow?

kadel avatar Oct 27 '21 14:10 kadel

It would be nice if crc comes with a command that would extract the router CA

CRC will not implement commands that are able to be performed using OpenShift (eg. oc) CLI tools. Since you have a command that works, I am not sure why you want us to 'wrap' this in crc.

This would be wiki or documentation instead.

It would make more sense to streamline the whole process and make this part of the setup and not involve any commands.

gbraad avatar Oct 28 '21 09:10 gbraad

The initial connection to the cluster using oc is currently unsecure as oc does not know which CA is being used. I'm guessing it's the same CA as the one you can get with oc -n openshift-ingress-operator get secret router-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.crt ? It might make sense to provide ca.crt as part of the bundle, similar to what we do for the ssh key.

cfergeau avatar Nov 03 '21 15:11 cfergeau

It is one of the cert from crc console -ojson | jq -r .clusterConfig.cacert | base64 -d -

praveenkumar avatar Nov 09 '21 06:11 praveenkumar

I think we need to discuss the use of a CA cert in a more generic way. ideally we do not want them to be idental among all system, but we also do not want them to be recreated and cause an increase in startup time that will be 'noticeable'.

gbraad avatar Nov 10 '21 13:11 gbraad

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 09 '22 16:01 stale[bot]

I am not sure why you want us to 'wrap' this in CRC.

Because it would be much more user-friendly.

It would make more sense to streamline the whole process and make this part of the setup and not involve any commands.

That would be ideal. But is that even doable?

kadel avatar Jan 18 '22 16:01 kadel

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 22 '22 04:03 stale[bot]