-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support custom ca chain #403
Comments
CA chain is already partly supported for eg. LDAP. we need a clear strategy how to deal with this:
So far we only have a option to switch of certificat validation. Related: |
Workaround in #420 (comment) |
|
@d7oc we need to prioritize this, because it is blocking currently @b1schumacher |
@b1schumacher does @butonic - solution not work? |
The problem we are facing now, is that this is not just a S3 Problem but rather a global problem. We need the chain in every pod that needs to communicate with a service that is secured by the custom ca chain. |
So basically all service definitions need to be extended by these 10 lines? |
There are common templates for all services. There might be one which can be used so just the template is enhanced and you get all for free. |
Does that mean we have a even faster implementation? |
How do other Helm Charts solve this challenge? I'd always prefer to stick to practices that are also used by charts like bitnami / grafana. EDIT: also I'd need to read up on how to properly manage CAs / certificates in Kubernetes for such a case. @b1schumacher can you maybe describe your current solution for non-oCIS deployments? |
Seems like Bitnami charts have something like this: ## TLS configuration
##
tls:
## @param tls.enabled Enable TLS traffic
##
enabled: false
## @param tls.authClients Require clients to authenticate
##
authClients: true
## @param tls.autoGenerated Enable autogenerated certificates
##
autoGenerated: false
## @param tls.existingSecret The name of the existing secret that contains the TLS certificates
##
existingSecret: ""
## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead.
##
certificatesSecret: ""
## @param tls.certFilename Certificate filename
##
certFilename: ""
## @param tls.certKeyFilename Certificate Key filename
##
certKeyFilename: ""
## @param tls.certCAFilename CA Certificate filename
##
certCAFilename: ""
## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers)
##
dhParamsFilename: "" (taken from Bitnami Redis Chart values.yaml) |
My question is also if we will have one CA or allow to have multiple, since there might be systems managed by different parts of a organisation:
(from #403 (comment)) |
@wkloucek We had not yet had the issue with other applications, most of the time there was a parameter to use. I will make a merge request for this issue and add one CA. I think this will be sufficient for most the use cases. If not we can add something to the documentation to explain how to change this to multiple CA's.
|
Will it continue to use the CA certificates shipped by the OS in the container? |
Good point. So there are to options.
|
I would prefer option 2 with a good documentation and in future an option for multiple CA chains |
I saw that one can provide multiple paths separated by Which means we could support the default path and our custom one!? |
I implemented now a second path with the custom certificate and added the custom chain ca there. So now it should use both directories. |
was solved in #599 |
In some deployments a self signed root CA is used to verify eg the certificate of S3. There are multiple ways to make ocis aware of one or more custom root CAs:
SSL_CERT_DIR=/etc/ssl/certs
env var and mount a certificate chain to eg./etc/ssl/certs/custom.pem
.SSL_CERT_DIR will cause golang to read all certificates in that dir.
The text was updated successfully, but these errors were encountered: