Add support for cloud-init ca-certs field

rancher / k3os

Purpose-built OS for Kubernetes, fully managed by Kubernetes.

https://k3os.io

Apache License 2.0

3.5k stars 397 forks source link

Add support for cloud-init ca-certs field #744

Open philomory opened 2 years ago

philomory commented 2 years ago

Is your feature request related to a problem? Please describe. I'd like to add a private CA as a trusted root to k3os. Cloud-init provides a way to accomplish this, via the ca-certs parameter, but k3os doesn't seem to support this parameter.

Describe the solution you'd like I'd like k3os to support using ca-certs.trusted in the cloud-init data to add trusted root CAs (while leaving the existing trusted roots in place unless ca-certs.remove-defaults is set to true).

Describe alternatives you've considered I considered manually adding the certificate using write_files, but this is difficult to do correctly due to a bug in k3os's implementation of update-ca-certificates (#518).

dweomer commented 2 years ago

The workaround in #518 should be something you can capture in a write_files + run_cmd:

Actually I made a workaround:

Moved the /etc/ssl/certs/ca-certificates.crt to /usr/local/share/ca-certificates Manually append all wanted certificates with cat *.crt >> /usr/local/share/ca-certificates/ca-certificates.crt Created directory mkdir -p /etc/ca-certificates/update.d/ Executed command sudo update-ca-certificates

philomory commented 2 years ago

Was this closed because a workaround exists, or because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter.

philomory commented 2 years ago

@dweomer I was wondering about the reasoning behind closing this issue? Was it closed simply because a workaround exists, or was it closed because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter rather than requiring this sort of non-obvious, error-prone workaround. Even if the bug in #518 was fixed, the cloud-init ca-certs parameter would still be preferable to using write_files and run_cmd to add the certificate.

dweomer commented 2 years ago

@dweomer I was wondering about the reasoning behind closing this issue? Was it closed simply because a workaround exists, or was it closed because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter rather than requiring this sort of non-obvious, error-prone workaround. Even if the bug in #518 was fixed, the cloud-init ca-certs parameter would still be preferable to using write_files and run_cmd to add the certificate.

@philomory apologies for missing your original follow-up: I am happy to re-open this but I must also admit that I do not foresee working on this anytime soon. It would definitely be nice to have!

philomory commented 2 years ago

@dweomer I've tracked down the underlying reason for #518 and have submitted a PR to fix it in #818; my intent is to follow up with a second PR that adds the cloudinit ca-certs functionality once update-ca-certificates itself works as intended.