search

getseabird / seabird

Native Kubernetes desktop IDE designed for seamless cluster exploration
https://getseabird.github.io/
Mozilla Public License 2.0
914 stars 24 forks source link

Custom CA cert support #85

Closed gjask closed 4 months ago

gjask commented 4 months ago

Issue description

I tried Seabird with our company's k8s clusters running in private network. Thing is all our internal services uses our company CA. I have installed CA cert system-wide but Seabird (or flatpak) doesn't seem to be able use it.

Snímek obrazovky z 2024-04-29 10-53-06

Steps to reproduce

  1. Start seabird
  2. Try to open cluster with private CA

System information

Fedora 40 (Silverblue), Seabird v0.3.2 (flathub)

jgillich commented 4 months ago

Hmm, does your kubeconfig reference the CA file? I don't see any config options in client-go related to system CAs

gjask commented 4 months ago

No it doesn't. Should it? Because CLI kubectl just works with system installed certs.

jgillich commented 4 months ago

No, just wanted to check. Flatpak should be adding system CA certs, and Go will pick them up when found in standard locations.

Try and see if you can access the cluster from within the sandbox with kubectl

flatpak run --command=sh --devel dev.skynomads.Seabird
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
./kubectl get nodes
gjask commented 4 months ago

It doesn't work in a same way.

jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ bin/kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority

Also I checked system certs from flatpak and from the system and not only my company cert is missing but those are actually very different files. So it is flatpak failing to import system CA certs?

jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ cat /etc/pki/tls/certs/ca-bundle.crt > flatpak-ca-bundle.crt
[📦 dev.skynomads.Seabird ~]$ 
exit
jask@silverbook:~$ diff flatpak-ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt | wc -l
2462
jgillich commented 4 months ago

Seems like Flatpak uses p11-kit, the CA bundle is placed in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, which is loaded by Go.

How did you add the cert? Try this: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/

gjask commented 4 months ago

That is exactly how I added it.

Interestingly all paths mentioned in https://go.dev/src/crypto/x509/root_linux.go are existing in flatpak except those for OpeneSUSE and OpenELEC. And all of them are different from my system certs. And none of them contains my cert. Also if that helps on my system I can see all certs using trust list command. But it fails inside flatpak.

jask@silverbook:~$ trust list | head -6
pkcs11:id=%AA%D0%0A%17%1B%13%38%35%AB%26%0C%AF%23%A4%71%F8%8F%E6%C0%38;type=cert
    type: certificate
    label: Seznam.cz Internal Root CA 2022
    trust: anchor
    category: authority

jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ trust list 2>&1 | head -6
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení

EDIT: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem also exists on my system and contains my cert.

jask@silverbook:~$ cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep Seznam
# Seznam.cz Internal Root CA 2022
jgillich commented 4 months ago

Ok wow, looks like we are expected to use the p11-kit server protocol, certs cannot be loaded from disk https://github.com/flatpak/flatpak/issues/2721

Go does not support this, probably never will. Strange decision by the Flatpak people. You'll have to use Flatseal to mount the bundle file

gjask commented 4 months ago

Would it be possible to use tool for exporting system certs using p11-kit server protocol into one of those paths during flatpak startup? Application itself wouldn't need to support it but it would work in flatpak without need for user to apply any workarround.

I don't know much about flatpaks but this is what I would do in entrypoint in OCI container. I hope flatpak has similar capability.

In a case that is not viable solution and action on user's side is still needed, could you please provide howto in your documentation?