[WIP]OSDOCS-19695: adds X.509certificate support to RCHL#111690
[WIP]OSDOCS-19695: adds X.509certificate support to RCHL#111690ShaunaDiaz wants to merge 1 commit into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@ShaunaDiaz: This pull request references OSDOCS-19695 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
added
the
size/XL
ShaunaDiaz
changed the title
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
🤖 Fri May 15 15:46:43 - Prow CI generated the docs preview: https://111690--ocpdocs-pr.netlify.app/rhcl/latest/deployment/deployment.html |
|
|
||
| //Q: would we create this filter manually on OpenShift, or just use the Gateway or AuthPolicy? | ||
|
|
||
| Create an EnvoyFilter to configure Envoy's DownstreamTlsContext for client certificate validation: |
There was a problem hiding this comment.
We're missing a step before this one: mounting the CA cert from the ConfigMap into the gateway pods: https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/user-guides/auth/x509-tier2-provider-specific.md#step-4-mount-ca-certificate-into-gateway-pods
| [id="rhcl-ts-x509-auth"] | ||
| = Troubleshooting X.509 authentication | ||
|
|
||
| //Q: would we use all of these on OpenShift? |
| [id="rhcl-x509-auth-prep-cas-and-certs"] | ||
| = Prepare certificate authorites and client certificates | ||
|
|
||
| //Q: downstream, would we use cert-manager or Service CA for some or all of this procedure? |
There was a problem hiding this comment.
IDK for sure, but I was wondering about the instructions to create a TLS-enabled gateway anyway.
The upstream user guide provides top-to-bottom instructions to enable this feature, from defining a gateway, to testing the authentication using a test client cert. We have documentation about how to enable TLS on a Gateway using the TLSPolicy. For the "Using X.509 cryptographic identity verification" guide, because this is focused on Tier 2, if you prefer, we could skip the procedure for defining the Gateway object, which includes the cert-manager CR and the TLSPolicy, to just refer to this other doc and mention that gateway is assumed to be called mtls-gateway, in the gateway-system namespace, for the next steps.
Please let me know what you prefer.
There was a problem hiding this comment.
This content is from Step 3, https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/user-guides/auth/x509-tier2-provider-specific.md#step-3-configure-gateway. I just pulled in the YAMLs from the link.
I'm pretty sure we don't give instructions anywhere in the current docs for the cert-manager CR. We probably want it here, right?
There was a problem hiding this comment.
The cert-manager CR is only for the TLSPolicy to work. If we have a page where we explain about the TLSPolicy and how to use it, that's the one.
There was a problem hiding this comment.
Do we always need cert-manager for all TLSPolicies? This is the existing doc: https://docs.redhat.com/en/documentation/red_hat_connectivity_link/1.3/html/deploying_red_hat_connectivity_link/rhcl-config-deploy-gateway-policies#proc-set-tls-policy_rhcl-config-deploy-gateway-policies
There was a problem hiding this comment.
Yes. It's not explicitly mentioned as a prerequisite in section 1.2.2, but spread all over the doc. In fact, section 1.2.1 is all about using cert-manager in preparation for a TLSPolicy. And as you can see from the example TLSPolicy resource provided further below, there's a issuerRef field that references a cert-manager object (of Issuer or ClusterIssuer kind).
| [id="rhcl-verifying-x509-auth"] | ||
| = Verifying X.509 authentication | ||
|
|
||
| //Q: would we test this way on OpenShift? |
There was a problem hiding this comment.
This feature is covered by our automated tests from our test suite that run on OpenShift: Kuadrant/testsuite#894.
|
@ShaunaDiaz: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Version(s):
rhcl-docs-main
rhcl-docs.1.4
Issue:
OSDOCS-19695
Link to docs preview:
https://111690--ocpdocs-pr.netlify.app/rhcl/latest/deployment/rhcl-using-x509-crypt-id-verify.html
QE review: