Page MenuHomePhabricator
Create Task
Maniphest T365681

toolforge: kubernetes can't revoke certificates
Open, Needs TriagePublic
Actions

Description

Toolforge kubernetes uses x509 certificates as the main authentication mechanism. But as of today, it cannot revoke such certs, or check a CRL, as documented in various places upstream, and in the internet:

We should keep this in mind when dealing with stuff like T363983: [toolforge] Investigate authentication.

Some options we could explore to mitigate the consequences of this limitation include:

  • issue x509 certs with a very short lifetime, like 1 day -- this will put some additional pressure on maintain-kubeusers
  • maybe we can instrument a poor-man CRL-like mechanism via Custom Admission controllers, or Kyverno -- this is unknown as of today

Related Objects
Search...

StatusSubtypeAssignedTask
 OpendcaroT362051 [components-api] First iteration of the component API
 OpendcaroT362066 [components-api] Develop the webhook mechanism to trigger a deployment
 OpendcaroT362071 [components-api] Extend the list of build triggers (unrefined)
 OpendcaroT362072 [components-api] Add support for non-public services
 ResolvedFeatureRaymond_NdibeT348758 [jobs-api,jobs-cli] Support services in jobs
 OpenRaymond_NdibeT359804 [jobs-api] Refactor before webservice support
 OpenRaymond_NdibeT358815 [jobs-api] separate jobs-framework k8s object templates from code
 OpenRaymond_NdibeT359650 [jobs-api] Save business models in a DB
 ResolveddcaroT359806 [jobs-api] Remove flask-restful
 In ProgressdcaroT359808 [jobs-api] Split the API, business, and k8s models
 OpenNoneT360016 [jobs-api,buildservice-api,envvars-api] evaluate crossplane for composite objects creation and maintenance
 ResolvedRaymond_NdibeT362520 [maintain-kubeusers] Increment default services quota
 OpendcaroT362076 [components-api] Add support for pre-built images (ex. python3.11, to refine)
 OpendcaroT362075 [components-api] add one-off, scheduled and continuous jobs support to the yaml + api
 OpendcaroT362077 [components-api] Add webservice support (to refine)
 OpenNoneT362082 [components-api] Add minimal cli with build-only features
 OpendcaroT362069 [components-api] Get a skeleton of API webservice and implement `/tool/<toolname>/deploy` with build-only features
 In ProgressdcaroT363983 [toolforge] Investigate authentication
 OpenNoneT365681 toolforge: kubernetes can't revoke certificates
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL