search

wandb / helm-charts

Our official helm charts for deploying wandb into k8s
MIT License
18 stars 8 forks source link

feat: Add support for Custom CA to controller manager #206

Closed flamarion closed 2 months ago

flamarion commented 2 months ago

Go http client to test the requests

package main

import (
    "fmt"
    "net/http"
)

func main() {

    // Making an HTTPS GET request to the endpoint
    url := "https://git.home.lab"
    resp, err := http.Get(url)
    if err != nil {
        fmt.Printf("Error making GET request: %v\n", err)
        return
    }
    defer resp.Body.Close()

    // Print the response status to confirm the request was successful
    fmt.Printf("Request succeeded with status code: %d\n", resp.StatusCode)
}

The standard librasy supports the SSL_CERT_FILE and SSL_CERT_DIR environment variables to specify the location of the CA certificate file or directory. If the SSL_CERT_FILE is set, the http.Get function will use the CA certificate file to verify the server's certificate. If the SSL_CERT_DIR is set, the http.Get function will use the CA certificate files in the directory to verify the server's certificate.

Test using the SSL_CERT_FILE environment variable

Request without the env var set

flamarion@wandb-local:~/go-http-client$ go run main2.go
Error making GET request: Get "https://git.home.lab": tls: failed to verify certificate: x509: certificate signed by unknown authority

Request with the env var set

flamarion@wandb-local:~/go-http-client$ export SSL_CERT_FILE=$(realpath root-ca.crt)
flamarion@wandb-local:~/go-http-client$ go run main2.go
Request succeeded with status code: 200

Test using the SSL_CERT_DIR environment variable

Request without the env var set

flamarion@wandb-local:~/go-http-client$ go run main2.go
Error making GET request: Get "https://git.home.lab": tls: failed to verify certificate: x509: certificate signed by unknown authority

Request with the env var set

flamarion@wandb-local:~/go-http-client$ mkdir certs
flamarion@wandb-local:~/go-http-client$ mv root-ca.crt intermediate-ca.crt certs/
flamarion@wandb-local:~/go-http-client$ export SSL_CERT_DIR=./certs
flamarion@wandb-local:~/go-http-client$ go run main2.go
Request succeeded with status code: 200

Making docker container using the same base images used by operator to validate the requests

# Build the manager binary
FROM golang:1.20 AS manager-builder

ARG TARGETOS
ARG TARGETARCH

WORKDIR /workspace

COPY main.go main.go

# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go

FROM gcr.io/distroless/static-debian11

COPY --from=manager-builder /workspace/manager .

ENTRYPOINT ["/manager"]

Build the container

flamarion@wandb-local:~/go-http-client$ docker build -t manager:v0.1 .

Run the container without the env var set

flamarion@wandb-local:~/go-http-client$ docker run --rm manager:v0.1
Error making GET request: Get "https://git.home.lab": tls: failed to verify certificate: x509: certificate signed by unknown authority

Run the container with the SSL_CERT_FILE env var set

flamarion@wandb-local:~/go-http-client$ docker run --rm -e SSL_CERT_FILE=/certs/root-ca.crt -v ./certs/root-ca.crt:/certs/root-ca.crt manager:v0.1
Request succeeded with status code: 200

Run the container with the SSL_CERT_DIR env var set

flamarion@wandb-local:~/go-http-client$ docker run --rm -e SSL_CERT_DIR=/certs -v ./certs:/certs manager:v0.1
Request succeeded with status code: 200

------- helm tests ----

Content of values.yaml

customCACerts:
- |
  -----BEGIN CERTIFICATE-----
  MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
  MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
  MDQwMTA4MjgzMFoXDTM0MDMzMDA4MjgzMFowLDEQMA4GA1UEChMHSG9tZUxhYjEY
  MBYGA1UEAxMPSG9tZUxhYiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
  QgAEqXGk4+Op8IpZo0bvVHp7/+bh2dUB0lsKS/s2k5sFnwDdn5U2dGuEf/ThphdY
  kXu96J8QLLi3ajyU1t3AqDxXiqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
  /wQIMAYBAf8CAQEwHQYDVR0OBBYEFACUX+y7e6joNWYggsMo8O+0mWLYMAoGCCqG
  SM49BAMCA0gAMEUCIQDejznNXCMUfBo1eIrjiVFhwuJgyQRaqMI149div72V2QIg
  P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
  -----END CERTIFICATE-----
- |
  -----BEGIN CERTIFICATE-----
  MIIBxTCCAWugAwIBAgIRAMXl8L4i99gapX+WGdpqaJcwCgYIKoZIzj0EAwIwLDEQ
  MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
  MDQwMTA4MjgzMVoXDTM0MDMzMDA4MjgzMVowNDEQMA4GA1UEChMHSG9tZUxhYjEg
  MB4GA1UEAxMXSG9tZUxhYiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggq
  hkjOPQMBBwNCAAQDzmSJjNVT2eqxpCn/Zsb+RaskgIDEPRRNrAjwuL5IJ3XZjvGC
  MaWcPQHhxG5aIWfmIX83zAYRKYXUZcYfnYuJo2YwZDAOBgNVHQ8BAf8EBAMCAQYw
  EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUK+moK4nZYvpNpqfvz/7m5wKU
  zgYwHwYDVR0jBBgwFoAUAJRf7Lt7qOg1ZiCCwyjw77SZYtgwCgYIKoZIzj0EAwID
  SAAwRQIhAIzXZMW44l6XMf9Nf4TxTevK8vE4Ic6E8UFqsCcILdXjAiA7iTluM0IU
  aIgJYVqKxXt25blH/VyBRzvNhViesfkNUQ==
    -----END CERTIFICATE-----

Upgrade the deployment

$ helm upgrade --install -n wandb operator ./charts/operator -f operator-values.yaml
Release "operator" has been upgraded. Happy Helming!
NAME: operator
LAST DEPLOYED: Tue Aug 27 15:30:30 2024
NAMESPACE: wandb
STATUS: deployed
REVISION: 2
TEST SUITE: None

Check the deployment

kubectl -n wandb get deployments.apps wandb-controller-manager -o yaml
[...]
spec:
[...]
    spec:
      containers:
[...]
        - name: SSL_CERT_DIR
          value: /certs
        image: wandb/controller:latest
[...]
        volumeMounts:
        - mountPath: /certs/customCA1.crt
          name: wandb-ca-certs
          subPath: customCA1.crt
[...]
      volumes:
      - configMap:
          defaultMode: 420
          name: operator-wandb-ca-certs
        name: wandb-ca-certs
[...]