Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gRPC client cert generation/rotation when running on OpenShift #206

Merged
merged 1 commit into from
Oct 6, 2023
Merged

Add gRPC client cert generation/rotation when running on OpenShift #206

merged 1 commit into from
Oct 6, 2023

Conversation

joelsmith
Copy link
Contributor

@joelsmith joelsmith commented Oct 6, 2023
edited
Loading

When not running on OpenShift, use the certificate generation/rotation
built in to the KEDA operator, and use its single certificate and the
CA certificate which signed it for all of the following:

  • KEDA operator's gRPC service
  • Metrics Server (adapter) API service endpoint
  • Validating admission webhook service endpoint
  • Client certificate used by the adapter to authenticate against the gRPC service

When running on OpenShift, use OpenShift-generated certificates (and the
cluster's service CA for validation) for each of the following services:

  • KEDA operator's gRPC service
  • Metrics Server (adapter) API service endpoint
  • Validating admission webhook service endpoint

The OLM operator generates CA and a gRPC client certificate for:

  • The adapter to authenticate itself to the KEDA operator (key/cert)
  • The KEDA operator's gRPC service to verify clients (the adapter) (CA
    cert)

Checklist

  • Commits are signed with Developer Certificate of Origin (DCO)

@joelsmith joelsmith requested a review from zroubalik as a code owner October 6, 2023 20:33
@joelsmith joelsmith mentioned this pull request Oct 6, 2023
Merged
1 task
@joelsmith joelsmith force-pushed the kedamain branch 2 times, most recently from 1727fb7 to 32dbba5 Compare October 6, 2023 22:15
@joelsmith
Add gRPC client cert generation/rotation when running on OpenShift
c854108 
When not running on OpenShift, use the certificate generation/rotation
built in to the KEDA operator, and use its single certificate and the
CA certificate which signed it for all of the following:
  * KEDA operator's gRPC service
  * Metrics Server (adapter) API service endpoint
  * Validating admission webhook service endpoint
  * Client certificate used by the adapter to authenticate against the gRPC service

When running on OpenShift, use OpenShift-generated certificates (and the
cluster's service CA for validation) for each of the following services:
  * KEDA operator's gRPC service
  * Metrics Server (adapter) API service endpoint
  * Validating admission webhook service endpoint
The OLM operator generates CA and a gRPC client certificate for:
  * The adapter to authenticate itself to the KEDA operator (key/cert)
  * The KEDA operator's gRPC service to verify clients (the adapter) (CA
    cert)

Signed-off-by: Joel Smith <joelsmith@redhat.com>
@jkyros
Copy link
Contributor

jkyros commented Oct 6, 2023

/lgtm

@joelsmith joelsmith merged commit f7b9701 into kedacore:main Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aravindhp aravindhp aravindhp left review comments

@zroubalik zroubalik Awaiting requested review from zroubalik zroubalik is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joelsmith @jkyros @aravindhp