use the internal client CA for the new proxy

xrstf · xrstf · commit 16531c42da10 · 2025-09-03T18:20:26.000+02:00
On-behalf-of: @SAP christoph.mewes@sap.com
diff --git a/internal/resources/frontproxy/deployment.go b/internal/resources/frontproxy/deployment.go
@@ -158,12 +158,20 @@ func (r *reconciler) deploymentReconciler() reconciling.NamedDeploymentReconcile
 			// front-proxy requestheader client cert
 			mountSecret(r.certName(operatorv1alpha1.RequestHeaderClientCertificate), frontProxyBasepath+"/requestheader-client", true)
 
-			// rootshard frontproxy client ca
-			mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.FrontProxyClientCA), frontProxyBasepath+"/client-ca", true)
-
 			// kcp rootshard root ca
 			mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.RootCA), kcpBasepath+"/tls/ca", true)
 
+			// Regular front-proxies use a dedicated client CA. However the internal rootshard proxy
+			// uses the internal client CA instead to make it easier for the kcp-operator to just use
+			// a single certificate to access all components.
+			if r.frontProxy != nil {
+				// rootshard frontproxy client ca
+				mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.FrontProxyClientCA), frontProxyBasepath+"/client-ca", true)
+			} else {
+				// kcp client ca
+				mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.ClientCA), kcpBasepath+"/tls/client-ca", true)
+			}
+
 			// front-proxy config
 			{
 				cmName := r.pathMappingConfigMapName()
@@ -214,16 +222,21 @@ var defaultArgs = []string{
 	"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
 	"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
 	"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-	"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 	"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
 }
 
 func (r *reconciler) getArgs() []string {
 	args := defaultArgs
+
+	// rootshard proxy mode
 	if r.frontProxy == nil {
+		args = append(args, fmt.Sprintf("--client-ca-file=%s/tls/client-ca/tls.crt", kcpBasepath))
 		return args
 	}
 
+	// regular front-proxy
+	args = append(args, fmt.Sprintf("--client-ca-file=%s/client-ca/tls.crt", frontProxyBasepath))
+
 	if auth := r.frontProxy.Spec.Auth; auth != nil {
 		if auth.DropGroups != nil {
 			args = append(args, fmt.Sprintf("--authentication-drop-groups=%q", strings.Join(auth.DropGroups, ",")))
diff --git a/internal/resources/frontproxy/deployment_test.go b/internal/resources/frontproxy/deployment_test.go
@@ -450,8 +450,8 @@ func TestGetArgs(t *testing.T) {
 				"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
 				"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
 				"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
+				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 			},
 		},
 		{
@@ -467,8 +467,8 @@ func TestGetArgs(t *testing.T) {
 				"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
 				"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
 				"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
+				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--authentication-drop-groups=\"group1,group2\"",
 			},
 		},
@@ -485,8 +485,8 @@ func TestGetArgs(t *testing.T) {
 				"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
 				"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
 				"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
+				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--authentication-pass-on-groups=\"group3,group4\"",
 			},
 		},
@@ -504,8 +504,8 @@ func TestGetArgs(t *testing.T) {
 				"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
 				"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
 				"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
+				"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
 				"--authentication-drop-groups=\"group1\"",
 				"--authentication-pass-on-groups=\"group2\"",
 			},
diff --git a/internal/resources/rootshard/certificates.go b/internal/resources/rootshard/certificates.go
@@ -261,7 +261,11 @@ func OperatorClientCertificateReconciler(rootShard *operatorv1alpha1.RootShard)
 				},
 
 				IssuerRef: certmanagermetav1.ObjectReference{
-					Name:  resources.GetRootShardCAName(rootShard, operatorv1alpha1.FrontProxyClientCA),
+					// This shard is meant to be used against shards directly (cluster-local) or with
+					// the internal root shard proxy (also cluster-local). All of these are configured
+					// to use the regular client CA (not like "normal" front-proxies, which have their
+					// own CA).
+					Name:  resources.GetRootShardCAName(rootShard, operatorv1alpha1.ClientCA),
 					Kind:  "Issuer",
 					Group: "cert-manager.io",
 				},
