Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find a way to make TLS required #85

Open
dtantsur opened this issue Nov 25, 2024 · 3 comments
Open

Find a way to make TLS required #85

dtantsur opened this issue Nov 25, 2024 · 3 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue is ready to be actively worked on.

Comments

@dtantsur
Copy link
Member

Currently, if tlsRef is not provided, TLS is not enabled. I don't think anybody should be deploying without TLS, even if it's just a self-signed certificate. Options to consider:

  1. Just error out (ideally, on the webhook level) if the TLS secret is not provided. This is a bit nuclear but also the simplest path.
  2. Use cert-manager to generate a self-signed certificate. If cert-manager is not available, either fail or go to 3.
  3. Generate a self-signed certificate locally. This is not a great option since it may be quite hard to refresh the certificate generated this way (cert-manager does it for free).

Same thing needs to be done with MariaDB.

Let's start with researching what other established operators (prometheus, postgresql, etc) are doing in this area.

/kind enhancement
/help
@metal3-io-bot
Copy link
Contributor

@dtantsur:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

Currently, if tlsRef is not provided, TLS is not enabled. I don't think anybody should be deploying without TLS, even if it's just a self-signed certificate. Options to consider:

  1. Just error out (ideally, on the webhook level) if the TLS secret is not provided. This is a bit nuclear but also the simplest path.
  2. Use cert-manager to generate a self-signed certificate. If cert-manager is not available, either fail or go to 3.
  3. Generate a self-signed certificate locally. This is not a great option since it may be quite hard to refresh the certificate generated this way (cert-manager does it for free).

Same thing needs to be done with MariaDB.

Let's start with researching what other established operators (prometheus, postgresql, etc) are doing in this area.

/kind enhancement
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@metal3-io-bot
Copy link
Contributor

@dtantsur: The label(s) kind/enhancement cannot be applied, because the repository doesn't have them.

In response to this:

Currently, if tlsRef is not provided, TLS is not enabled. I don't think anybody should be deploying without TLS, even if it's just a self-signed certificate. Options to consider:

  1. Just error out (ideally, on the webhook level) if the TLS secret is not provided. This is a bit nuclear but also the simplest path.
  2. Use cert-manager to generate a self-signed certificate. If cert-manager is not available, either fail or go to 3.
  3. Generate a self-signed certificate locally. This is not a great option since it may be quite hard to refresh the certificate generated this way (cert-manager does it for free).

Same thing needs to be done with MariaDB.

Let's start with researching what other established operators (prometheus, postgresql, etc) are doing in this area.

/kind enhancement
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@metal3-io-bot metal3-io-bot added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. needs-triage Indicates an issue lacks a `triage/foo` label and requires one. labels Nov 25, 2024
@dtantsur dtantsur added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 25, 2024
@dtantsur dtantsur added this to the MVP milestone Nov 27, 2024
@Rozzii
Copy link
Member

Rozzii commented Dec 4, 2024

/triage accepted

@metal3-io-bot metal3-io-bot added triage/accepted Indicates an issue is ready to be actively worked on. and removed needs-triage Indicates an issue lacks a `triage/foo` label and requires one. labels Dec 4, 2024
@dtantsur dtantsur modified the milestones: IrSO - v0.1, IrSO - v0.2 Jan 13, 2025
@dtantsur dtantsur removed this from the IrSO - v0.2 milestone Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dtantsur @Rozzii @metal3-io-bot