contour-operator icon indicating copy to clipboard operation
contour-operator copied to clipboard
verified publisher icon projectcontour

Configurable Certificate Generation

Open danehans opened this issue 5 years ago • 4 comments

Please describe the problem you have Currently, the contour-certgen is responsible for generating certificates used to secure Contour<>Envoy communication. Cert generation should be configurable, providing options for cert-gen, cert-manager, and contour-operator generated certs.

Additional Considerations:

  • Most clusters don't have the necessary feature gate turned on, so the operator could delete the certgen job if it is successful.
  • The operator generates certs and stores them in a secret that is referenced by contour/envoy
  • Expose cert generation through the Contour API.
  • Should the operator run contour certgen binary?

xref: https://github.com/projectcontour/contour-operator/pull/31

/cc @jpeach @stevesloka @Miciah

danehans avatar Oct 06 '20 22:10 danehans

The goal of v1alpha1 is for the operator to produce a deployment equivalent to what a user would get by applying https://github.com/projectcontour/contour/tree/main/examples/contour, so this issue is post-v1alpha1.

Miciah avatar Oct 26 '20 18:10 Miciah

xref contour cert-manager docs: https://projectcontour.io/guides/cert-manager/

danehans avatar Oct 27 '20 16:10 danehans

I'd like to refer back to a comment from @stevesloka:

I think the operator should just create the certs without running a job, but that package isn't exposed in Contour so we need to do that work first. Duplicating the code doesn't seem like a good approach, but would unblock the operator work. I guess it could also call the contour binary like the certgen job as an another intermediate step.

https://github.com/projectcontour/contour-operator/pull/31#issuecomment-700952995

I think we also discussed something like this on one of the Project Contour Community Meeting calls. As I understand it, the suggestion here is to break the internal logic of certgen out into a library that the operator and certgen executables would share. Do I understand the suggestion correctly?

I cannot find any issue for breaking the certgen logic out into a library. Has anyone opened such an issue, or should one be opened under projectcontour/contour (or somewhere else)?

Lastly, certgen has been extended in the past to have some degree of compatibility with cert-manager; would it make sense to continue down this path, and extend the certgen library to support arbitrary platform-specific certificate management systems? So rather than having contour-operator provide a choice between certgen, cert-manager, serving cert signer, or what have you, instead contour-operator would use certgen, and certgen would have capabilities to work independently or to integrate with cert-manager/serving cert signer/whatever. Would this approach be acceptable?

Miciah avatar Nov 13 '20 20:11 Miciah

I opened (https://github.com/projectcontour/contour/issues/3130) to track this work. I think exposing the cert-gen logic would allow the operator to generate certs dynamically without having to run the job.

stevesloka avatar Nov 16 '20 17:11 stevesloka