root-cas setting - Githubissues

ngrok / kubernetes-ingress-controller

The official ngrok Ingress Controller for Kubernetes

https://ngrok.com

MIT License

183 stars 20 forks source link

root-cas setting #371

Closed jrobsonchase closed 1 month ago

jrobsonchase commented 2 months ago

closes: #369

What

Utilizes the trusted or host CA as the source of truth via a helm install flag.

How

Takes an install option for --set rootCAs=host and plumb the isHostCA check into the caCerts for it to just get the host certs.

Verification

Build 2048 image, copying in cert and updating certs, apply changes
Set --set rootCAs host and make deploy, no controller errors ✅ and can play example
Set --set rootCAs host with canonical 2048 example without cert gives errors in controller
Set --set rootCAs trusted no errors and plays 2048 as expected
no set plays as expected

jrobsonchase commented 2 months ago

Looks to be working as expected:

failed to reconnect session     {"obj": "csess", "id": "0eb6ded7abdf", "err": "failed to send authentication request: tls: failed to verify certificate: x509: certificate signed by unknown authority"}

with the standard agent ingress, which uses the internal ngrok CA rather than Let's Encrypt.

bobzilladev commented 1 month ago

From meeting today:

Will instead add a root_cas option with similar semantics to the agent: https://ngrok.com/docs/ngrok-agent/config/#root_cas
The default will be internal and use the cert baked into ngrok-go. Caveat: if the special local directories exist and have certs, those will be used instead (same behavior as the controller currently uses).
The host option will use host certs, as this PR makes possible.
Any other values for root_cas will throw an error. In the future we may build functionality to refer to a k8s object here.

A table @jrobsonchase made of options, for posterity. We're going with the middle option: 2024-05-17-105728_691x276_scrot