Closed maelvls closed 3 months ago
@hawksight Hey, can you take a quick look? All the credit goes to you since I've copied a lot of your work in #540 😅
@hawksight Do I also need to set Go's SSL_CERT_FILE
for clarity, or is that unnecessary?
env:
- name: SSL_CERT_FILE
value: /etc/ssl/certs/ca-certificates.crt
I'm thinking that having this will make it more obvious. It's already the path used by Go to look for the system CA bundle. Note that env
can't be set at the moment in values.yaml.
Other question: do I really need to overwrite the container's ca-certificates.crt
, or is Go going to load anything that is under /etc/ssl/certs
?
Update: Ah... Go does load all certificates under /etc/ssl/certs
: https://github.com/golang/go/blob/ea537cca314d9da5365eeefcc375410c76e93b36/src/crypto/x509/root_linux.go#L21, https://github.com/golang/go/blob/ea537cca314d9da5365eeefcc375410c76e93b36/src/crypto/x509/root_unix.go#L61.
I'll undo my complicated /etc/ssl/certs/ca-certificates.crt
and do the same thing as you did in #540.
I'm thinking that having this will make it more obvious. It's already the path used by Go to look for the system CA bundle. Note that env can't be set at the moment in values.yaml.
You are right that it does make it very explicit. There is a SSL_CERT_DIR
as well perhaps we could set?
Right now we just rely on Go's defaults. It's worked to date but perhaps we should be explicit?
Thanks. I'll change things to match what you have done. My proposition is too complex, I don't need to overwrite the ca-certificates.crt
for this to work.
I've re-tested my changes. It works fine. I'll merge now. Thank you Peter!
Ref: https://venafi.atlassian.net/browse/VC-34488
We found that there is currently no “knob” in the Venafi Kubernetes Agent
values.yaml
file to configure a custom CA bundle. @hawksight created a GitHub issue for that: #541.In this PR, I add the new
volumes
andvolumeMounts
and added examples of how to set up a custom CA bundle in the comments of the CA bundle. 99% of this PR comes from @hawksight's work in #540.The way I intend users to use custom CA bundles is to first create a config map:
Then, the user configures its
values.yaml
with the following:That's because Venafi Kubernetes Agent will trust any PEM certificate under
/etc/ssl/certs
.With venctl, using the same values.yaml as above, it will look like this:
Unit tests
Manual tests (in Kubernetes)
The first test is about replacing the system bundle and testing with that. The second test is about adding a CA bundle along side the system bundle and checking that it works.
Replacing ca-certificates.crt
I don't use the Helm chart's
config.yaml
as there is too much noise in the logs. Instead, I use a bare-bones configmap that doesn't even gather any data but still connects to the Venafi Cloud API.Now, let's create a configmap with a CA bundle that only contains the Venafi Cloud certificate:
Then, I created
mine/ca-bundle.values.yaml
:In the logs, we can see that the TLS connection is working (although there is this 404 error that I don't understand):
Just to double check that I got it right, I changed the
cabundle
configmap to another bundle that shouldn't work:As expected, the TLS validation fails:
It proves that the CA bundle is correctly used by the agent.
Without replacing ca-certificates.crt
Go loads all the certs in
/etc/ssl/certs
, so there is no need to replace/etc/ssl/certs/ca-certificates.crt
.Do the same as above, but replace
mine/ca-bundle.values.yaml
with the following:Don't forget to replace the cabundle configmap with the Venafi cert:
It works as expected:
Now, let's check that it doesn't default to using
ca-certificates.crt
by using a different cabundle:As expected:
Checking the actual content of the CA bundle without a shell in the container
I needed to check whether the /etc/ssl/certs/ca-certificates.crt file in the container actually contained the right certificates. I couldn't get a shell in the Venafi Agent container, so I had to read the containers' filesystem from the host:
Pre-testing in Docker
Before having it work in Kubernetes, I tested this in Docker.
In the container:
It should work:
(OK, that's an error, but it still shows that the TLS connection is working.)
Now, change the
ca-certificates.crt
to something else:You will see: