kubeovn / kube-ovn / 16158575117
23%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 184
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 21.396% (-0.1%) from 21.536%
16158575117

push

github

web-flow 
Use cert-manager to issue certificates for IPSec (#5365)

* Add support for issuing IPSec tunnel certificates using cert-manager.

When cert-manager certificates are enabled, the controller no longer generates the IPSec CA cert or private key stored in the `ovn-ipsec-ca` secret. The secret should be populated with the same CA as configured with cert-manager. It still enables IPSec in OVN NB.

When cert-manager certificates are enabled the CNI daemon creates cert-manager CertificateRequest resources instead of CSRs. A cert-manager ClusterIssuer should be configured to approve and sign these CertificateRequests with a matching CA as configured in `ovn-ipsec-ca` secret. The name of the issuer to use is configurable in the CNI.

The CNI daemon now watches the `ovn-ipsec-ca` secret for changes allowing for rollout of a new trust bundle. It verifies the currently configured certificate is signed by the new bundle and if not then triggers a new certificate to be issued. The daemon now splits each certificate in the CA bundle into a separate file as strongswan is unable to parse multiple CAs from a single file.

The CNI daemon now requests a new certificate when the current certificate is at least half way to expiry based on the times in the certificate. When generating a new certificate the daemon also generates a new key just in case the previous one was leaked somehow. The certificate lifetime is also now configurable rather than lasting for a year. The CNI no longer restarts the ipsec or ovs-ipsec-monitor services when the certificate changes and just requests ipsec to reread the CA certs if they change.

To allow for the CNI daemon to keep track of the versions of its key, certificate, and CA cert files it now stores them with locally unique names on disk. Keys and certs are suffixed with the timestamp they were generated. CA files are suffixed with the k8s revision number of the `ovn-ipsec-ca` secret.

The cert manager validation webhook (if used) shoul... (continued)

0 of 449 new or added lines in 5 files covered. (0.0%)

7 existing lines in 2 files now uncovered.

10515 of 49145 relevant lines covered (21.4%)

0.25 hits per line

New Missed Lines in Diff

Lines Coverage File
1
1.23
 0.0% pkg/controller/controller.go
2
0.0
 0.0% pkg/controller/config.go
15
0.0
 0.0% pkg/daemon/config.go
61
0.0
 0.0% pkg/daemon/controller.go
370
0.0
 0.0% pkg/daemon/ipsec.go

Uncovered Existing Lines

Lines Coverage File
1
0.0
 0.0% pkg/daemon/config.go
6
0.0
 0.0% pkg/daemon/ipsec.go
Jobs
ID Job ID Ran Files Coverage
1 16158575117.1 184
21.4
 GitHub Action Run
Source Files on build 16158575117