You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running on Kubernetes the SSL certificates are managed using cert-manager.
All we define are Issuers telling cert-manager what certificates to generate and renew.
This is working fine when the certificates are all in one cluster, but proxies and hub's peripheral servers will pretty likely be on separate and geographically remote clusters.
How do we handle the certificates chain in such a case?
Solutions
Here are several options I initially thought of:
Create all Issuers on the server cluster and somehow transfer them to the proxy / peripheral server
Pros:
this is quite easy to implement even if it requires the server pod to have the rights to create Issuers on its cluster
Cons:
There is no way to automate deploying the renewed certificates once cert-manager renewed them
Deploy a certificate generation tool on the main server
The idea is to use a tool like step-ca to generate certificates when requested by the proxies and servers.
On each cluster there would be a cert-manager instance asking the central step-ca for certificates.
This would even apply to the main server.
Pros:
This would be a fully automated SSL certificate chain
The technology behind let's encrypt
Cons:
Requires change in how we generate certificates on the server. This mean an upgrade path may be needed for users who already deployed Uyuni on Kubernetes.
This forces to deploy one more application on the cluster even if there are no proxies or hub peripheral servers.
This is redundent if the user already leverages an ACME-based PKI infrastructure
Unknowns:
Does it being an intermediate CA?
Using a vault for the certificates
cert-manager can store the generated certificates in a vault. I haven't investigated this option yet.
The text was updated successfully, but these errors were encountered:
Context
When running on Kubernetes the SSL certificates are managed using cert-manager.
All we define are
Issuerstellingcert-managerwhat certificates to generate and renew.This is working fine when the certificates are all in one cluster, but proxies and hub's peripheral servers will pretty likely be on separate and geographically remote clusters.
How do we handle the certificates chain in such a case?
Solutions
Here are several options I initially thought of:
Create all Issuers on the server cluster and somehow transfer them to the proxy / peripheral server
Pros:
Cons:
Deploy a certificate generation tool on the main server
The idea is to use a tool like step-ca to generate certificates when requested by the proxies and servers.
On each cluster there would be a
cert-managerinstance asking the centralstep-cafor certificates.This would even apply to the main server.
Pros:
Cons:
Unknowns:
Using a vault for the certificates
cert-managercan store the generated certificates in a vault. I haven't investigated this option yet.The text was updated successfully, but these errors were encountered: