Comments (2)
cfryanr
commented on June 1, 2024
Hi @aslafy-z,
Thanks for creating an issue! I assume you are using an ingress for the Concierge's impersonation proxy port?
As you've noted, there are certain TLS certs that are auto-created and auto-rotated. Be careful here though, the api.servingCertificate.durationSeconds controls the rotation of a different auto-generated TLS certificate. That cert is used to help register the Concierge as an aggregated API server with the Kubernetes API server (on the APIService resource). That cert is only used inside the cluster between the Kubernetes API server and the Concierge, and should not be used for the impersonation proxy (which serves traffic from clients that are outside the cluster). You should not need to use an ingress controller for this, because the installation manifest yaml will create a ClusterIP service for this purpose, and it should only receive traffic from inside the cluster (more specifically only from the Kubernetes API server).
As you've seen, the default behavior of the impersonation proxy is to create its own CA, create its own TLS certificate, create a load balancer service, and start serving traffic using the IP of the load balancer service as the ingress address for clients. This auto-generated TLS certificate has a 100 year expiration and will not be rotated by default. (It is created by this controller.)
The default behavior is probably fine for simple use cases, but for Concierge admins who have more complex networking/ingress requirements it may not be sufficient. For example, if you need to use an ingress for all incoming traffic to the cluster, then you might not want to have a separate load balancer for the impersonation proxy.
That's why you are able to change the service that the Concierge will create, if you do not prefer to use a load balancer. You can tell it to create a ClulsterIP service instead of an LB service, or you can tell it not to create a service at all because you prefer to create your own. You can configure this in the CredentialIssuer.spec (see docs).
In recent versions of Pinniped, there is a new feature where you can now also control the TLS certs to be served by the impersonation proxy. (See blog post for a detailed example of how to use this.) This, together with being able to create your own service, gives you almost complete control over ingress and TLS works for your impersonation proxy on each cluster.
Please let us know if that explanation helps, or if you have any more questions about setting up ingress for the Concierge.
from pinniped.
cfryanr
commented on June 1, 2024
Hi @aslafy-z, did the above comment help? I didn't hear back from you so I will close this issue for now, but please feel free to add questions/comments or reopen the issue.
from pinniped.
Related Issues (20)
- Document how to debug LDAPIdentity provider spec using `ldapsearch` CLI and pod logs
- Add a way to configure the cipher suite used for TLS HOT 4
- Add Carvel package proposal (please update with more detail) HOT 4
- The local-user-authenticator-tls-serving-certificate is not actually a TLS serving cert, it is a CA HOT 3
- Session expires based on ID Token instead of Access Token HOT 2
- Pinniped CLI version command should match `kubectl version` HOT 2
- API Discovery (`kubectl explain`) should work for OpenAPIv3 and aggregate APIs
- Aggregate APIs should not have name `Generic API Server` HOT 1
- show interstitial web page to allow user to choose IDP when multiple IDPs are configured and authorize endpoint query param to choose IDP is not used
- Support/ignore injected sidecar containers in the kube cert agent pod
- Add to Pinniped.dev: FederationDomain transformation playground
- The Concierge Impersonation Proxy should use a service account token from the TokenRequest API HOT 2
- Bump "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" version to 0.44.0 HOT 1
- Use non-deprecated mock generator
- [Proposal] Authenticating Users via GitHub
- Feature Request: Improve Pinniped OIDC Auth Experience with Browser Link Option HOT 17
- Allow a volumemount certificate reference to be used by JWTAuthenticator HOT 5
- Cleanup conditions_util and ensure it is thoroughly tested
- TokenCredentialRequestAPI related errors when ImpersonationProxy is being used instead HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pinniped.