View Issue Details

IDProjectCategoryView StatusLast Update
000933210000-004: ServicesSpecpublic2024-07-09 16:45
ReporterPaul Hunkar Assigned ToMatthias Damm  
PrioritynormalSeveritytweakReproducibilityalways
Status assignedResolutionopen 
Summary0009332: Support kubernetes deployment
Description

A "newer" deployment pattern in IT is containers on kubernetes. In kubernetes the hostname of an opc ua server is the pod name. But the pod name is very transient and changes every deployment/change making it hard to present clients with the same certificate, the end result is a server which changes certificate fairly often, as the hostname changes. This is deployed as a single instance.

If one were to take advantage of more kubernetes capabilities and deploy many servers in parallel for horizontal scaling then a client would see different certificates depending on the request routing.

It would be good if the security model would support this deployment pattern.

Steps To Reproduce
  1. Make a server in a docker container
  2. Deploy on kubernetes with a persistent volume for the PKI folder
  3. Connect with a client like UAExpert and subscribe to some values
  4. Make a new version of the same server in a container
  5. Deploy the new version in kubernetes
  6. The client can not automatically reconnect as the certificate has changed
TagsCertificate Management, Docker, Kubernetes, Networking
Commit Version
Fix Due Date

Relationships

related to 0007216 acknowledgedPaul Hunkar 10000-002: Security Support kubernetes deployment 

Activities

Jim Luth

2023-12-22 16:04

administrator   ~0020548

Needs to be cloned to Part 4. Part 4 redundancy section describe a pool of hot redundant servers that can be accessed round robin by clients for load balancing. This works where the servers in the hot set all have certs from the same CA and its the CA that is trusted by the Clients (not the individual certs.);

Paul Hunkar

2023-12-22 16:05

developer   ~0020549

Cloned from part 2 issue

Matthias Damm

2024-01-03 09:10

developer   ~0020564

I am not sure why any solution that adresses the original question would make sense for what the hostname/DNS name is in the certificate.

The DNS name in the certificate is used by the client to compare the hostname in the EndpointUrl used to connect with the certificate.
Does this DNS name of the server really change?
Are the intenal names used by clients to connect?

Jouni Aro

2024-01-05 08:48

reporter   ~0020576

The containers can share the hostname, although it's not necessarily straight forward how to accomplish it (via a configuration file on the persistent volume - or the certificate - or an argument to the container if it's started manually from the Docker host).

They will need to share the connection address anyway, so that the clients can connect.

But, maybe it's a good idea to describe how the containerised applications should be configured.

Issue History

Date Modified Username Field Change
2023-12-22 16:04 Paul Hunkar New Issue
2023-12-22 16:04 Paul Hunkar Status new => assigned
2023-12-22 16:04 Paul Hunkar Assigned To => Paul Hunkar
2023-12-22 16:04 Paul Hunkar Tag Attached: Certificate Management
2023-12-22 16:04 Paul Hunkar Tag Attached: Docker
2023-12-22 16:04 Paul Hunkar Tag Attached: Kubernetes
2023-12-22 16:04 Paul Hunkar Tag Attached: Networking
2023-12-22 16:04 Paul Hunkar Issue generated from: 0007216
2023-12-22 16:04 Paul Hunkar Note Added: 0020548
2023-12-22 16:04 Paul Hunkar Relationship added related to 0007216
2023-12-22 16:04 Paul Hunkar Project 10000-002: Security => 10000-004: Services
2023-12-22 16:04 Paul Hunkar Assigned To Paul Hunkar =>
2023-12-22 16:04 Paul Hunkar Assigned To => Paul Hunkar
2023-12-22 16:04 Paul Hunkar Status assigned => new
2023-12-22 16:05 Paul Hunkar Note Added: 0020549
2024-01-02 16:29 Jim Luth Assigned To Paul Hunkar => Matthias Damm
2024-01-02 16:30 Jim Luth Status new => assigned
2024-01-03 09:10 Matthias Damm Note Added: 0020564
2024-01-05 08:48 Jouni Aro Note Added: 0020576