Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Contour to work with Opaque secret as long as it contains tls.crt and tls.key #3180

Closed
tsaarni opened this issue Dec 7, 2020 · 3 comments · Fixed by #4799
Closed

Allow Contour to work with Opaque secret as long as it contains tls.crt and tls.key #3180

tsaarni opened this issue Dec 7, 2020 · 3 comments · Fixed by #4799
Assignees
@skriss
Labels
area/tls Issues or PRs related to TLS support. kind/feature Categorizes issue or PR as related to a new feature.
Milestone
1.24.0

Comments

@tsaarni
Copy link
Member

tsaarni commented Dec 7, 2020

I would like Contour to accept secrets that are type Opaque as long as the secret has required fields: tls.crt and tls.key. Currently Contour checks for the validity of secrets by:

  1. check that the secret contains fields: tls.crt and tls.key
  2. check that the type field is set to kubernetes.io/tls

Having the type check (2) is not necessary for the secret to work - it is redundant and I would like to propose removing it. I do not propose any documentation changes - the type kubernetes.io/tls should still be recommended. According to the good old robustness principle ("Be conservative in what you do, be liberal in what you accept from others") Contour could work with other types as well as long as it contains the required certificate and key fields checked in (1).

The use case for this change is to allow referring to secret that was created as Opaque using something like kubectl create secret generic mycert --from-file=tls.crt --from-file=tls.key --from-file=ca.crt. The secret is not exactly conforming to the kubernetes.io/tls but would work if the additional check (2) was removed.

The topic is also discussed at Slack https://kubernetes.slack.com/archives/C8XRH2R4J/p1607344706059900
@tsaarni tsaarni added kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Dec 7, 2020
@skriss
Copy link
Member

skriss commented Dec 7, 2020
edited
Loading

That seems OK to me, 👍.

Note that there's another similar but different validity check for secrets that gets called before adding a secret to the Contour cache of Kubernetes objects. I'm not totally clear on why there are two separate functions for this; it'd be nice to de-dupe if possible. Perhaps another maintainer has more context than me :)

@jpeach
Copy link
Contributor

jpeach commented Dec 7, 2020

Mixed feelings about this (since IIRC I added the check). If nothing looks at the type, what's the point of it? If the type id consistently used and required, maybe that's helpful for an auditing or access control, but OTOH if there's no enforcement then there's no way to get consistent behavior.

@youngnick
Copy link
Member

When we talked about this originally, I'm pretty sure it was just because that was the standard way to represent TLS details in Kubernetes. I think I'm okay with allowing this as long as we're clear that Secrets of type kubernetes.io/tls automatically meet the key requirements.

@skriss skriss mentioned this issue Feb 17, 2021
Closed
@skriss skriss added the area/tls Issues or PRs related to TLS support. label Oct 12, 2022
@skriss skriss added this to the 1.24.0 milestone Oct 12, 2022
@skriss skriss added this to Contour Oct 12, 2022
@skriss skriss moved this to Todo in Contour Oct 12, 2022
@skriss skriss self-assigned this Oct 12, 2022
@skriss skriss moved this from Todo to In Progress in Contour Oct 12, 2022
skriss added a commit to skriss/contour that referenced this issue Oct 17, 2022
@skriss
allow TLS secrets to be of type Opaque
f19bdf3 
Closes projectcontour#3180.

Signed-off-by: Steve Kriss <[email protected]>
skriss added a commit to skriss/contour that referenced this issue Oct 17, 2022
@skriss
allow TLS secrets to be of type Opaque
7831d57 
Closes projectcontour#3180.

Signed-off-by: Steve Kriss <[email protected]>
skriss added a commit to skriss/contour that referenced this issue Oct 17, 2022
@skriss
allow TLS secrets to be of type Opaque
35ab009 
Closes projectcontour#3180.

Signed-off-by: Steve Kriss <[email protected]>
@skriss skriss mentioned this issue Oct 17, 2022
Merged
skriss added a commit to skriss/contour that referenced this issue Oct 21, 2022
@skriss
allow TLS secrets to be of type Opaque
ee82b17 
Closes projectcontour#3180.

Signed-off-by: Steve Kriss <[email protected]>
skriss added a commit that referenced this issue Oct 24, 2022
@skriss
allow TLS secrets to be of type Opaque (#4799)
f4778a5 
Closes #3180.

Signed-off-by: Steve Kriss <[email protected]>
Repository owner moved this from In Progress to Done in Contour Oct 24, 2022
moeyui1 pushed a commit to moeyui1/contour that referenced this issue Oct 26, 2022
@skriss @moeyui1
allow TLS secrets to be of type Opaque (projectcontour#4799)
ce8a03d 
Closes projectcontour#3180.

Signed-off-by: Steve Kriss <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skriss skriss

Labels
area/tls Issues or PRs related to TLS support. kind/feature Categorizes issue or PR as related to a new feature.
Projects
Contour
Status: Done
Milestone
1.24.0
Development

Successfully merging a pull request may close this issue.

allow TLS secrets to be of type Opaque skriss/contour
4 participants
@jpeach @tsaarni @skriss @youngnick