Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rotate Operator TLS certificate in-memory #1251

Merged
merged 1 commit into from
Aug 25, 2022

Conversation

Alevsk
Copy link
Contributor

@Alevsk Alevsk commented Aug 23, 2022

  • certNeedsRenewal didn't support kubernetes.io/tls,
    cert-manager.io/v1alpha2 or cert-manager.io/v1 secrets
  • Rotate operator certificate if is expired and refresh it in-memory

Signed-off-by: Lenin Alevski [email protected]

- certNeedsRenewal didn't support kubernetes.io/tls,
  cert-manager.io/v1alpha2 or cert-manager.io/v1 secrets
- Rotate operator certificate if is expired and refresh it in-memory

Signed-off-by: Lenin Alevski <[email protected]>
@Alevsk Alevsk force-pushed the operator-tls-certificate-rotate branch from f7c2b86 to 02014f0 Compare August 24, 2022 01:19
@pjuarezd
Copy link
Member

Did a little script to verify the Certs

#!/bin/bash

FINGERPRINT_IN_SECRET=$(kubectl get secret -n minio-operator operator-tls -o jsonpath="{.data['public\.crt']}" | base64 --decode | openssl x509 -noout -fingerprint -sha1 -in /dev/stdin)
echo "Cert fingerprint in minio-operator/operator-tls secret: $FINGERPRINT_IN_SECRET"

FINGERPRINT_IN_SERVER=$(kubectl exec $(kubectl get pods -n minio-operator  -l operator=leader -o name) -n minio-operator -- openssl s_client -connect  operator.minio-operator.svc.cluster.local:4222 < /dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1 -in /dev/stdin)

echo "Cert fingerprint in running operator service: $FINGERPRINT_IN_SERVER"

if [ "$FINGERPRINT_IN_SECRET" == "$FINGERPRINT_IN_SERVER" ]; then
  echo "Fingerprins match!"
else
  echo "Oh no, certificates are different!"
fi

It seems to work, when I set in kubernetes a cluster-signing-duration lower than 48 hours, operator loops and re-create the operator-tls certificate when creating a new tenant, each time the operator-tls certificate rotated, the tumbprint between the secret and running operator concide.

➜  operator git:(1251) ✗ kubectl get secret -n minio-operator operator-tls -o jsonpath={.metadata.creationTimestamp}
2022-08-24T20:51:15Z%                                                                                                                                                                                    
➜  operator git:(1251) ✗ ./testing/cert-test/verify.sh 
Cert fingerprint in minio-operator/operator-tls secret: SHA1 Fingerprint=F0:16:C1:90:06:09:CB:C8:14:0D:40:FD:00:02:04:AA:D5:12:87:77
Cert fingerprint in running operator service: SHA1 Fingerprint=F0:16:C1:90:06:09:CB:C8:14:0D:40:FD:00:02:04:AA:D5:12:87:77
Fingerprins match!
➜  operator git:(1251) ✗ kubectl get secret -n minio-operator operator-tls -o jsonpath={.metadata.creationTimestamp}
2022-08-24T21:01:28Z%                                                                                                                                        
➜  operator git:(1251) ✗ ./testing/cert-test/verify.sh                                                              
Cert fingerprint in minio-operator/operator-tls secret: SHA1 Fingerprint=DE:41:D4:BE:D4:7F:CD:1F:89:68:36:03:5B:F1:B8:48:FE:1A:48:B5
Cert fingerprint in running operator service: SHA1 Fingerprint=DE:41:D4:BE:D4:7F:CD:1F:89:68:36:03:5B:F1:B8:48:FE:1A:48:B5
Fingerprins match!

@Alevsk Alevsk merged commit ec4e74c into minio:master Aug 25, 2022
@Alevsk Alevsk deleted the operator-tls-certificate-rotate branch August 25, 2022 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants