Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support custom ca chain #403

Closed
butonic opened this issue Oct 9, 2023 · 20 comments · Fixed by #599
Closed

support custom ca chain #403

butonic opened this issue Oct 9, 2023 · 20 comments · Fixed by #599
Labels
Category:Enhancement Add new functionality Priority:p4-low Low priority

Comments

@butonic
Copy link
Member

butonic commented Oct 9, 2023

In some deployments a self signed root CA is used to verify eg the certificate of S3. There are multiple ways to make ocis aware of one or more custom root CAs:

  1. build a custom container to include the correct CA chain
  2. set the SSL_CERT_DIR=/etc/ssl/certs env var and mount a certificate chain to eg. /etc/ssl/certs/custom.pem.

SSL_CERT_DIR will cause golang to read all certificates in that dir.

@butonic butonic added the Category:Enhancement Add new functionality label Oct 9, 2023
@wkloucek wkloucek added the Priority:p4-low Low priority label Oct 10, 2023
@wkloucek
Copy link
Contributor

CA chain is already partly supported for eg. LDAP.

we need a clear strategy how to deal with this:

  • HTTP clients
  • Store / Caches
  • Message Bus
  • Office Integrations / WOPI
  • Email Server
  • Tika

So far we only have a option to switch of certificat validation.

Related:

@butonic
Copy link
Member Author

butonic commented Nov 10, 2023

Workaround in #420 (comment)

@butonic
Copy link
Member Author

butonic commented Nov 10, 2023

SSL_CERT_DIR is read by golang to pick up custom certificates. We can use it to make every pod containing a golang binary read a a custom CA.

@dj4oC
Copy link

dj4oC commented Jun 6, 2024

@d7oc we need to prioritize this, because it is blocking currently @b1schumacher

@dj4oC
Copy link

dj4oC commented Jun 6, 2024

@b1schumacher does @butonic - solution not work?
#420 (comment)
If not, may I ask you to create a pull request to overcome this limitation?

@b1schumacher
Copy link
Contributor

The problem we are facing now, is that this is not just a S3 Problem but rather a global problem. We need the chain in every pod that needs to communicate with a service that is secured by the custom ca chain.

@dj4oC
Copy link

dj4oC commented Jun 6, 2024

So basically all service definitions need to be extended by these 10 lines?

@d7oc
Copy link
Contributor

d7oc commented Jun 6, 2024

There are common templates for all services. There might be one which can be used so just the template is enhanced and you get all for free.

@dj4oC
Copy link

dj4oC commented Jun 7, 2024

There are common templates for all services. There might be one which can be used so just the template is enhanced and you get all for free.

Does that mean we have a even faster implementation?

@wkloucek
Copy link
Contributor

wkloucek commented Jun 7, 2024

How do other Helm Charts solve this challenge? I'd always prefer to stick to practices that are also used by charts like bitnami / grafana.

EDIT: also I'd need to read up on how to properly manage CAs / certificates in Kubernetes for such a case.

@b1schumacher can you maybe describe your current solution for non-oCIS deployments?

@wkloucek
Copy link
Contributor

wkloucek commented Jun 7, 2024

Seems like Bitnami charts have something like this:

## TLS configuration
##
tls:
  ## @param tls.enabled Enable TLS traffic
  ##
  enabled: false
  ## @param tls.authClients Require clients to authenticate
  ##
  authClients: true
  ## @param tls.autoGenerated Enable autogenerated certificates
  ##
  autoGenerated: false
  ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates
  ##
  existingSecret: ""
  ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead.
  ##
  certificatesSecret: ""
  ## @param tls.certFilename Certificate filename
  ##
  certFilename: ""
  ## @param tls.certKeyFilename Certificate Key filename
  ##
  certKeyFilename: ""
  ## @param tls.certCAFilename CA Certificate filename
  ##
  certCAFilename: ""
  ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers)
  ##
  dhParamsFilename: ""

(taken from Bitnami Redis Chart values.yaml)

@wkloucek
Copy link
Contributor

wkloucek commented Jun 7, 2024

My question is also if we will have one CA or allow to have multiple, since there might be systems managed by different parts of a organisation:

  • HTTP clients
  • Store / Caches
  • Message Bus
  • Office Integrations / WOPI
  • Email Server
  • Tika

(from #403 (comment))

@b1schumacher
Copy link
Contributor

b1schumacher commented Jun 10, 2024

@wkloucek We had not yet had the issue with other applications, most of the time there was a parameter to use.

I will make a merge request for this issue and add one CA. I think this will be sufficient for most the use cases. If not we can add something to the documentation to explain how to change this to multiple CA's.

# Custom CA chain
# If a custom CA chain is needed for the communcation with other services like S3 or notification services.
# The secret needs to be manually created.
customCa:
  # Adds custom CA to pods
  enabled: false
  # Name of existing secret
  existingSecret: ""

@b1schumacher
Copy link
Contributor

@wkloucek @d7oc
I made a pull request.
It is possible to add multiple ca chains to the secret and with that add them all to the deployments. This will also solve the problem with different chains for different services.

@wkloucek
Copy link
Contributor

It is possible to add multiple ca chains to the secret and with that add them all to the deployments. This will also solve the problem with different chains for different services.

Will it continue to use the CA certificates shipped by the OS in the container?

@b1schumacher
Copy link
Contributor

Good point.
Right now this would overwrite the certificates, as all of them are already in /etc/ssl/certs

So there are to options.

  1. Add another dir to SSL_CERT_DIR with the default /etc/ssl/certs, but would break with changed default paths from the container
  2. Mount the CA chain as file, but then the key would have to be configured and only one would be possible

@b1schumacher
Copy link
Contributor

b1schumacher commented Jun 12, 2024

I would prefer option 2 with a good documentation and in future an option for multiple CA chains

@wkloucek
Copy link
Contributor

wkloucek commented Jun 12, 2024

I saw that one can provide multiple paths separated by :, see also golang/go#35325

Which means we could support the default path and our custom one!?

@b1schumacher
Copy link
Contributor

I implemented now a second path with the custom certificate and added the custom chain ca there. So now it should use both directories.

@wkloucek
Copy link
Contributor

wkloucek commented Sep 9, 2024

was solved in #599

@wkloucek wkloucek closed this as completed Sep 9, 2024
@github-project-automation github-project-automation bot moved this from Qualification to Done in Infinite Scale Team Board Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category:Enhancement Add new functionality Priority:p4-low Low priority
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

5 participants