Initial work to use base client

[Marenz]

Currently on hold as the base client does not seem to easily support using a custom root certificate authority. At this point we still need to use that as we're still waiting on proper certificates

So this is blocked by either:

• BaseClient supporting custom root certificates.
• Infra giving us an officially recognized SSL certificate.

[llucax]

BaseClient supporting custom root certificates

Can you create an issue (or better a PR :innocent: ) with what's needed? An example of how you are creating the grpc channel would help.

[Marenz]

You can see the according code here: https://github.com/frequenz-floss/frequenz-client-dispatch-python/blob/v0.x.x/src/frequenz/client/dispatch/__main__.py#L57 We add a repo-local certificate here as root so that our client accepts the self-signed certificate of the service.

[llucax]

So looking at that now, and you seem to have a function that accepts more than just the root cert, so for now I will only implement passing a root cert to the base client. Let me know if I am misreading this and you also need to pass a private key and a cert chain.

[llucax]

Also, any reason for storing the root cert in the repo and using files(...)? Shouldn't the root cert be provided by whoever actually instantiates the client and not the client package itself?

[llucax]

In any case, the base client will take the root cert as a path to a file and let clients decide how to do the config, but it seems weird to ship a root cert and force any client users to use that root cert.

[Marenz]

Shouldn't the root cert be provided by whoever actually instantiates the client and not the client package itself?

no, because they wouldn't have the cert ;)

We generated the cert, we signed the server certs with it and we also ship it in the client because that's the only way they can validate the server cert.

[llucax]

We generated the cert, we signed the server certs with it and we also ship it in the client because that's the only way they can validate the server cert.

You can publish the certs somewhere, like you do with you gpg public key, no? Anyway:

• https://github.com/frequenz-floss/frequenz-client-base-python/pull/73

[llucax]

I might need to understand the cert part better, as if the cert really needs to be shipped by the client then passing it via URL doesn't make a lot of sense...

[Marenz]

You can publish the certs somewhere, like you do with you gpg public key, no? Anyway:

I mean sure, but why give our client users so much work if we can just ship it straight with the client? It's the only place were its used and useful. Remember also that this is a temporary solution until infrastructure gives me a proper certificate signed by a real CA... https://github.com/frequenz-io/infrastructure/issues/73

[llucax]

Yeah, ok, given let's encrypt I hope we can get normal certificates without needing a root cert. Not sure if we should event merge the PR, maybe for "advanced use" the client should just accept a pre created channel instead of a URL.