Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add root key to internal certificate secret example #1741

Merged
merged 1 commit into from
Sep 1, 2023
Merged

Add root key to internal certificate secret example #1741

merged 1 commit into from
Sep 1, 2023

Conversation

nasark
Copy link
Member

@nasark nasark commented Sep 1, 2023

@miq-bot assign @bdunne
@miq-bot add_reviewer @Fryguy
@miq-bot add_label enhancement

@miq-bot miq-bot requested a review from Fryguy September 1, 2023 01:35
@miq-bot
Copy link
Member

miq-bot commented Sep 1, 2023

Checked commit nasark@64760e1 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 👍

@Fryguy Fryguy merged commit 3d2f26d into ManageIQ:master Sep 1, 2023
@Fryguy Fryguy assigned Fryguy and unassigned bdunne Sep 1, 2023
github-actions bot pushed a commit to ManageIQ/manageiq.github.io that referenced this pull request Sep 1, 2023
Deploy for ManageIQ/manageiq-documentation#1741
2207f9d
@bdunne
Copy link
Member

bdunne commented Sep 11, 2023
edited
Loading

the root key is needed for downstream Kafka SSL configuration

Why would any server need the CA private key? This feels like a CVE waiting to happen
It shouldn't even need the CA public key unless it is attempting to connect to itself (for debugging purposes) or to another server signed by that CA

@nasark
Copy link
Member Author

nasark commented Sep 11, 2023

Why would any server need the CA private key? This feels like a CVE waiting to happen
It shouldn't even need the CA public key unless it is attempting to connect to itself (for debugging purposes) or to another server signed by that CA

@bdunne It's not required by us but rather Strimzi does a check to see if the following secrets are available https://strimzi.io/docs/operators/in-development/deploying.html#installing-your-own-ca-certificates-str. If <cluster_name>-cluster-ca secret which contains the ca key is not available then Kafka is not deployed. Usually Strimzi generates the ca key/certs and creates the secrets for you but since we are bringing our own certs in the form of internalCertificateSecret then it needs to be specified here

@Fryguy
Copy link
Member

Fryguy commented Sep 12, 2023

Backported to quinteros in commit af0da36.

commit af0da36deb8457ed0bc9adb839e504d0538db220
Author: Jason Frey <[email protected]>
Date:   Fri Sep 1 09:35:30 2023 -0400

    Merge pull request #1741 from nasark/add_root_key_pods_ssl
    
    Add root key to internal certificate secret example
    
    (cherry picked from commit 3d2f26d15affc13255d4af94ac4fe55e6167a372)

Fryguy added a commit that referenced this pull request Sep 12, 2023
@Fryguy
Merge pull request #1741 from nasark/add_root_key_pods_ssl
af0da36 
Add root key to internal certificate secret example

(cherry picked from commit 3d2f26d)
github-actions bot pushed a commit to ManageIQ/manageiq.github.io that referenced this pull request Sep 12, 2023
Deploy for ManageIQ/manageiq-documentation#1741
4db163b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fryguy Fryguy Awaiting requested review from Fryguy

Assignees

@Fryguy Fryguy

Labels
enhancement quinteros/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nasark @miq-bot @bdunne @Fryguy