Closed gjask closed 4 months ago
Hmm, does your kubeconfig reference the CA file? I don't see any config options in client-go related to system CAs
No it doesn't. Should it? Because CLI kubectl
just works with system installed certs.
No, just wanted to check. Flatpak should be adding system CA certs, and Go will pick them up when found in standard locations.
Try and see if you can access the cluster from within the sandbox with kubectl
flatpak run --command=sh --devel dev.skynomads.Seabird
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
./kubectl get nodes
It doesn't work in a same way.
jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ bin/kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority
Also I checked system certs from flatpak and from the system and not only my company cert is missing but those are actually very different files. So it is flatpak failing to import system CA certs?
jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ cat /etc/pki/tls/certs/ca-bundle.crt > flatpak-ca-bundle.crt
[📦 dev.skynomads.Seabird ~]$
exit
jask@silverbook:~$ diff flatpak-ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt | wc -l
2462
Seems like Flatpak uses p11-kit, the CA bundle is placed in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
, which is loaded by Go.
How did you add the cert? Try this: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
That is exactly how I added it.
Interestingly all paths mentioned in https://go.dev/src/crypto/x509/root_linux.go are existing in flatpak except those for OpeneSUSE and OpenELEC. And all of them are different from my system certs. And none of them contains my cert. Also if that helps on my system I can see all certs using trust list
command. But it fails inside flatpak.
jask@silverbook:~$ trust list | head -6
pkcs11:id=%AA%D0%0A%17%1B%13%38%35%AB%26%0C%AF%23%A4%71%F8%8F%E6%C0%38;type=cert
type: certificate
label: Seznam.cz Internal Root CA 2022
trust: anchor
category: authority
jask@silverbook:~$ flatpak run --command=sh --devel dev.skynomads.Seabird
[📦 dev.skynomads.Seabird ~]$ trust list 2>&1 | head -6
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
p11-kit: couldn't load attributes: Nastala chyba na zařízení
EDIT: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
also exists on my system and contains my cert.
jask@silverbook:~$ cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep Seznam
# Seznam.cz Internal Root CA 2022
Ok wow, looks like we are expected to use the p11-kit server protocol, certs cannot be loaded from disk https://github.com/flatpak/flatpak/issues/2721
Go does not support this, probably never will. Strange decision by the Flatpak people. You'll have to use Flatseal to mount the bundle file
Would it be possible to use tool for exporting system certs using p11-kit server protocol into one of those paths during flatpak startup? Application itself wouldn't need to support it but it would work in flatpak without need for user to apply any workarround.
I don't know much about flatpaks but this is what I would do in entrypoint in OCI container. I hope flatpak has similar capability.
In a case that is not viable solution and action on user's side is still needed, could you please provide howto in your documentation?
Issue description
I tried Seabird with our company's k8s clusters running in private network. Thing is all our internal services uses our company CA. I have installed CA cert system-wide but Seabird (or flatpak) doesn't seem to be able use it.
Steps to reproduce
System information
Fedora 40 (Silverblue), Seabird v0.3.2 (flathub)