Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Allow cert-manager to sign IPSec CSRs #5073

Open
cruickshankpg opened this issue Mar 11, 2025 · 3 comments
Open

[Feature Request] Allow cert-manager to sign IPSec CSRs #5073

cruickshankpg opened this issue Mar 11, 2025 · 3 comments
Assignees
@changluyi
Labels
feature New network feature

Comments

@cruickshankpg
Copy link

Description

Currently when IPSec is enabled kube-ovn-controller is responsible for:

  1. enabling IPSec in OVNNB
  2. generating the ovn-ipsec-ca secret if it doesn't exist
  3. signing CSRs from kube-ovn-cni pods

In our k8s deployments we use cert-manager to sign all our other CSRs and ideally we would use it for IPSec as well.

I think I can achieve this currently by removing permissions for certificates.k8s.io apiGroups in the system:ovn ClusterRole. kube-ovn-controller appears healthy but it does then periodically log errors:

0311 15:56:39.748324       7 reflector.go:561] k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list *v1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kube-system:ovn" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0311 15:56:39.748424       7 reflector.go:158] "Unhandled Error" err="k8s.io/[email protected]/tools/cache/reflector.go:243: Failed to watch *v1.CertificateSigningRequest: failed to list *v1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User \"system:serviceaccount:kube-system:ovn\" cannot list resource \"certificatesigningrequests\" in API group \"certificates.k8s.io\" at the cluster scope" logger="UnhandledError"

It would be nice if there was a config flag to disable the csrInformer and not generate the ovn-ipsec-ca secret but still enable ipsec in ovnnb. And then a helm value to set the config flag and toggle the ClusterRole permissions.

Who will benefit from this feature?

IPSec users that use cert-manager

Anything else?

No response
@cruickshankpg cruickshankpg added the feature New network feature label Mar 11, 2025
@oilbeater
Copy link
Collaborator

@changluyi can you take a look at this?

@cruickshankpg
Copy link
Author

Looks like the kube-ovn-cni pods should also create cert-manager CertificateRequests rather than k8s CertificateSigningRequests. cert-manager does have experimental support for signing CSRs.

@changluyi
Copy link
Collaborator

I think this is a good suggestion, I will consider using cert-manager's CertificationRequests in future implementations.

看起来 kube-ovn-cni pod 也应该创建 cert-manager CertificationRequests而不是 k8s CertificationSigningRequests。cert-manager 确实对签署 CSR有实验性支持。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@changluyi changluyi

Labels
feature New network feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oilbeater @cruickshankpg @changluyi