Skip to content

[THREESCALE-7921] New APIcast CRD field: caCertificateSecretRef #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[THREESCALE-7921] New APIcast CRD field: caCertificateSecretRef #252

wants to merge 2 commits into from

Conversation

tkan145
Copy link

@tkan145 tkan145 commented Mar 14, 2025
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-7921

Verification step

  • Checkout this branch

  • Run

make install
  • Create apicast config
export NAMESPACE=apicast-test
oc new-project $NAMESPACE

cat << EOF | oc create -f -
apiVersion: v1
kind: Secret
metadata:
  name: apicast-config-secret
  namespace: $NAMESPACE
type: Opaque
stringData:
  config.json: |
    {
      "services": [
        {
          "proxy": {
            "policy_chain": [
              { "name": "apicast.policy.upstream",
                "configuration": {
                  "rules": [{
                    "regex": "/",
                    "url": "http://echo-api.3scale.net"
                  }]
                }
              }
            ]
          }
        }
      ]
    }
EOF
  • Generate CA cert
openssl genrsa -out rootCA.key 2048
openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
  • Create secret
oc create secret generic cacert --namespace=apicast-test --from-file=ca-bundle.crt=rootCA.pem
  • Create APIcast
cat << EOF | oc create -f -
apiVersion: apps.3scale.net/v1alpha1
kind: APIcast
metadata:
  name: example-apicast
  namespace: $NAMESPACE
spec:
  caCertificateSecretRef:
    name: cacert
  embeddedConfigurationSecretRef:
    name: apicast-config-secret
EOF
  • Run operator locally
make run
  • Wait APIcast pod comes online
  • Check that the cert is mounted correctly
 ▲ t/fixtures/CA oc get pod                                                                                     
                       
NAME                                       READY   STATUS    RESTARTS   AGE                                     
apicast-example-apicast-666bddf8d5-nns84   0/1     Running   0          27s                                     
 ▲ t/fixtures/CA oc rsh apicast-example-apicast-666bddf8d5-nns84 cat /var/run/secrets/apicast/ca-bundle.crt     
                         
-----BEGIN CERTIFICATE-----                                                                                     
[CA certificate content]                                                   
-----END CERTIFICATE-----
  • Check the env var is set correctly
 △ t/fixtures/CA oc rsh apicast-example-apicast-666bddf8d5-nns84 env | grep SS
SSL_CERT_FILE=/var/run/secrets/apicast/ca-bundle.crt

@tkan145 tkan145 requested a review from a team as a code owner March 14, 2025 06:07
@tkan145 tkan145 force-pushed the support-CA-certificate branch from 460f81c to 4b64773 Compare March 14, 2025 06:37
@tkan145 tkan145 changed the title [THREESCALE-10300] New APIcast CRD field: caCertificateSecretRef [THREESCALE-7921] New APIcast CRD field: caCertificateSecretRef Mar 14, 2025
MStokluska
MStokluska reviewed Mar 21, 2025
View reviewed changes
doc/operator-user-guide.md Outdated

2.- Create the certificate secret
```
kubectl create secret generic cacert --namespace=apicast-test --from-file=ca-bundle.crt=root-ca.crt
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

root-ca.crt doesn't exists, I think we need to change the rootCA.pem > root-ca.crt

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated doc and also rebased

@tkan145 tkan145 force-pushed the support-CA-certificate branch from 4b64773 to 0e11af9 Compare March 24, 2025 07:01
@tkan145 tkan145 force-pushed the support-CA-certificate branch from 0e11af9 to db76de5 Compare May 19, 2025 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MStokluska MStokluska MStokluska left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
3scale-2.17
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tkan145 @MStokluska