Skip to content

Add comprehensive custom certificates documentation#293

Open
pwright wants to merge 12 commits into
skupperproject:mainfrom
pwright:certs-1
Open

Add comprehensive custom certificates documentation#293
pwright wants to merge 12 commits into
skupperproject:mainfrom
pwright:certs-1

Conversation

@pwright

@pwright pwright commented Jun 10, 2026

Copy link
Copy Markdown
Member
  • Add detailed custom certificates section to kube-yaml/site-linking.md
    • Explains default Skupper CA and certificate behavior
    • Documents custom server certificate setup
    • Provides kubectl/yq and manual methods for Link generation
    • Includes client certificate generation workflows
  • Add cross-reference in kube-cli/site-linking.md directing to YAML approach

@pwright pwright mentioned this pull request Jun 10, 2026
Comment thread input/kube-yaml/site-linking.md Outdated
```
Apply the secret:
```shell
kubectl delete secret skupper-site-server # delete existing secret

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we recommend using the skupper-site-server secret (the default one used when link-access is enabled), then better to also recommend creating it before the site is created, as it needs to exist on the namespace before the skupper.io.Certificate (CR) exists, to avoid racing with the controller.

An alternative would be to suggest a custom RouterAccess CR, instead of using --enable-link-access. Then we could also explain how to define the RouterAccess CR manuall, which has the .spec.generateTlsCredentials=false and has the .spec.tlsCredentials set to a user provided Secret.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated doc with two alternative approaches.

BTW Would deleting routeraccess when user disables linkaccess automatically be a good idea?
(then user could disable linkaccess, apply secret and re-enable linkaccess)

@pwright pwright requested a review from fgiorgetti June 17, 2026 16:00
@pwright pwright marked this pull request as ready for review June 17, 2026 16:01
Comment thread input/kube-yaml/custom-certs.md Outdated
Comment thread input/kube-yaml/custom-certs.md

5. On the listening site, create client credentials for the connecting site.

Since Skupper still creates the `skupper-site-ca` signing `Certificate` resource, you can use it to generate a client secret automatically. Create a `Certificate` resource:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you provided your own certificate, without using skupper-site-ca to sign it, then you must issue a client certificate yourself and just create a secret, similarly to what you've done earlier with the server cert. The client secret needs to be signed by the same CA (ca.crt) that signed the server certificate.
This approach is valid only if the server certificate was also signed by skupper-site-ca.

Comment thread input/kube-yaml/custom-certs.md Outdated
spec:
ca: skupper-site-ca
client: true
subject: skupper.public.host

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Subject here is not related to the server, so we can use something else to avoid confusion.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change to subject: skupper-client
but i dunno if that makes sense?

Comment thread input/kube-yaml/custom-certs.md Outdated

3. On the listening site, create client credentials for the connecting site.

Once your Skupper site is configured to use your custom server certificate, you can create a `Link` resource and an associated client `Secret`. Since Skupper always creates the `skupper-site-ca` signing `Certificate` resource on Kubernetes sites, you can use it to generate client credentials automatically. If you have replaced `skupper-site-ca` with a custom CA that Skupper cannot use for signing, you will need to provide the client `Secret` yourself.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have provided the skupper-site-ca before creating your site, then you can use it to sign your certificates, as long as both client and server certificates have been signed by it.
In this second approach you're providing the skupper-site-server yourself so in this case you must use the same CA used to sign the server certificate, to sign the client certificate.
So for the Certificate CR to be used, the respective CA must have been also used to sign the server cert.

pwright added 12 commits July 1, 2026 15:18
- Add detailed custom certificates section to kube-yaml/site-linking.md
  - Explains default Skupper CA and certificate behavior
  - Documents custom server certificate setup
  - Provides kubectl/yq and manual methods for Link generation
  - Includes client certificate generation workflows
- Add cross-reference in kube-cli/site-linking.md directing to YAML approach
- Update overview/security.md with certificate trust explanation
- Fix terminology: 'Issuer' → 'signing Certificate resource'
- Fix certificate description: clarify CA hierarchy (not self-signed server cert)
- Fix kubectl commands: remove incorrect .items[] path for named resources
| Site delete/recreate needed | Yes, to prevent overwrite | No |
| Skupper overwrites your cert | Yes, unless pre-created | Never |

**Site-specific context**

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fgiorgetti After rereading, I added this section to help orient users, wdyt?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certificate CR can also be a listening site concern, if a CA is provided, as the Certificate CR can reference the respective CA secret to sign the server certificate.
For a connecting site to use a Certificate CR, the CA that will be used to sign the public certificate must also be present on the respective namespace. If a RouterAccess has a reference to a custom secret signed by some external CA (no secret on the namespace), then client Certificates won't be used.

@pwright pwright requested a review from fgiorgetti July 1, 2026 14:28
| Site delete/recreate needed | Yes, to prevent overwrite | No |
| Skupper overwrites your cert | Yes, unless pre-created | Never |

**Site-specific context**

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certificate CR can also be a listening site concern, if a CA is provided, as the Certificate CR can reference the respective CA secret to sign the server certificate.
For a connecting site to use a Certificate CR, the CA that will be used to sign the public certificate must also be present on the respective namespace. If a RouterAccess has a reference to a custom secret signed by some external CA (no secret on the namespace), then client Certificates won't be used.


3. On the listening site, create client credentials for the connecting site.

Once your Skupper site is configured to use your custom server certificate, you can create a `Link` resource and an associated client `Secret`. If your custom server Secret's `ca.crt` field contains `skupper-site-ca`, you can use the Certificate CR to generate client credentials automatically (Skupper will sign them with `skupper-site-ca`). If your custom server Secret's `ca.crt` contains a different CA, you must provide the client `Secret` yourself, signed by that CA.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that this sentence is a bit misleading: "If your custom server Secret's ca.crt field contains skupper-site-ca".

Maybe clearer to say something like: "If your custom server certificate was signed by the skupper-site-ca issuer or by a CA whose secret is on the listening site's namespace, you can use the Certificate CR to generate client credentials automatically".

I'd use something similar on the rest of the sentence: "If your custom server certificate was signed by a different CA, ...".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants