Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defining KnativeServing.spec.controller-custom-certs results in ConfigMap being overwritten #1982

Open
kwkoo opened this issue Mar 5, 2023 · 4 comments

Comments

@kwkoo
Copy link

kwkoo commented Mar 5, 2023

When I define a custom registry certificate in a ConfigMap and reference the ConfigMap in KnativeServing.spec.controller-custom-certs (decribed here), the contents of the ConfigMap gets overwritten with the certificates of other CAs.

This behavior is not present when using the upstream Knative operator.

This looks like it may be due to this line.

However, when the custom registry certificate is defined in a Secret, the contents of the Secret are not overwritten.

If the objective is to merge the service CAs and the trusted CAs with the contents of the ConfigMap, then shouldn't the original contents of the ConfigMap be copied into combinedContents?

@pierDipi
Copy link
Member

pierDipi commented Apr 5, 2023

cc @skonto @nak3 @ReToCode

@skonto
Copy link
Contributor

skonto commented Apr 26, 2023

Hi @kwkoo the current design is described here:

If a secret is not included in the KnativeServing CR, this setting defaults to using public key infrastructure (PKI). When using PKI, the cluster-wide certificates are automatically injected into the Knative Serving controller by using the config-service-sa config map.

For the OCP PKI stuff there is more here. Right now the way to manually set certs is done via a secret only. This needs more work to be aligned with the upstream.

@kwkoo
Copy link
Author

kwkoo commented Apr 26, 2023

Thank you for the link, Stavros. I see that the docs you linked to talk about putting the certificate in a Secret. However, it does not define what happens when you put the certificate in a ConfigMap. Should the docs include a paragraph warning users against using ConfigMaps for the certificate then?

This is especially important since the Knative docs use ConfigMaps as an example.

@skonto
Copy link
Contributor

skonto commented Apr 26, 2023

I will create an issue to track this internally thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants