Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let it be possible to specify optional CAcert for trust of remote cfssl #51

Merged
merged 4 commits into from
Jun 12, 2019
Merged

Let it be possible to specify optional CAcert for trust of remote cfssl #51

merged 4 commits into from
Jun 12, 2019

Conversation

johanot
Copy link
Contributor

@johanot johanot commented Aug 23, 2018

If you run cfssl apiserver tls-enabled, it is currently not possible to use self-signed certificate, because certmgr will reject it.

This PR makes it possible to use self-signed certificate on the cfssl apiserver, by providing an optional cert-spec option root_ca.

@johanot johanot mentioned this pull request Aug 24, 2018
Merged
9 tasks
@johanot
Copy link
Contributor Author

johanot commented Aug 28, 2018

@cbroglie Don't know if you work with certmgr as well? But since you merged my latest PR on cfssl, perhaps you'd care to review this as well? :) thanks in any case.

kalbasit
kalbasit suggested changes Aug 28, 2018
View reviewed changes
cert/cert.go Outdated
if len(ca.RootCACert) > 0 {
rootCABytes, err := ioutil.ReadFile(ca.RootCACert)
if err != nil {
panic(err)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why panic here? why not simply return nil, err?

cert/cert.go Outdated
rootCaCertPool := x509.NewCertPool()
ok := rootCaCertPool.AppendCertsFromPEM(rootCABytes)
if !ok {
panic("failed to parse rootCA certs")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should probably return nil, errors.New("failed to parse rootCA certs")

cert/cert.go Outdated
panic(err)
}

if err == nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Go devs are not fond of if..else blocks, can you change this entire block to:

if err != nil {
  return nil, err
}
rootCaCertPool := x509.NewCertPool() ...

also don't panic :)

cert/cert.go Outdated
pem []byte
}

func (ca *CA) getRemoteCert() ([]byte, error) {
remote := client.NewServer(ca.Remote)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove newline on top.

Let it be possible to specify optional CAcert for trust of remote cfs…
bfbe3b4 
…sl tls cert.

This makes it possible to use self-signed certificate on the cfssl apiserver.
@johanot
Copy link
Contributor Author

johanot commented Aug 29, 2018

@kalbasit Thanks for the review. Check bfbe3b4 now. Sorry about the poor error handling. The panics were clearly remnants of my debugging and shouldn't have made it to the PR :) embarrassing.

kalbasit
kalbasit previously approved these changes Aug 29, 2018
View reviewed changes
@kalbasit
Copy link

@johanot no worries :), it looks great now, hopwfully someone can merge this soon. Today, I will take a look at the k8s pr over on nixpkgs.

@johanot
Copy link
Contributor Author

johanot commented Aug 30, 2018

@kisom Can I kindly ask for your comment/opinion on this change?

@johanot
Copy link
Contributor Author

johanot commented Sep 4, 2018

@terinjokes Poking blindly here, but I would be very grateful if you or one of your colleagues could take a look at this PR and tell me whether it makes sense? :) We would like to include certmgr 1.6.1 (with this patch) in the upstream NixOS Kubernetes module.

@johanot
Copy link
Contributor Author

johanot commented Sep 24, 2018

@kisom @terinjokes Re-ping -> one month after PR creation.

terinjokes
terinjokes reviewed Sep 24, 2018
View reviewed changes
cert/cert.go Outdated
pem []byte
}

func (ca *CA) getRemoteCert() ([]byte, error) {
remote := client.NewServer(ca.Remote)
var tlsConfig tls.Config
if len(ca.RootCACert) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with other checks in this file (eg, AuthKeyFile), we might want to compare against an empty string, rather than a length check.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @terinjokes.

Fixed in 519f8db .. Will squash if you approve. Any other comments to the functionality in general? It does make sense to implement support for self-signed certs on cfssl-apiserver this way right?

@johanot
Copy link
Contributor Author

johanot commented Oct 26, 2018

@terinjokes @kisom Is this something you will consider merging at some point, or is it just too far from the the core principals of certmgr? We've discussed in the NixOS kubernetes community whether to fork certmgr to be able to use self-signed certs with cfssl, or to build a new cfssl client; but I genuinely think that would be sad. I very much prefer to hear some sort of opinion from you on this, so that we can decide on whether to stick with upstream certmgr as cfssl client or not. Thanks a lot. :)

@adamtulinius
Copy link

@terinjokes @kisom Any updates on this?

@kisom
Copy link
Contributor

kisom commented Nov 16, 2018

@johanot @adamtulinius I'm no longer at Cloudflare and don't have access to this repo anymore :).

@vielmetti vielmetti mentioned this pull request Dec 14, 2018
Closed
ferringb
ferringb reviewed Jan 23, 2019
View reviewed changes
cert/cert.go Outdated
}
}

remote := client.NewServerTLS(ca.Remote, &tlsConfig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless I'm missing something, this code change will result in an empty/zero initialized struct being passed for tlsConfig- rather than nil; does the consuming code make a difference in that regard?

More specifically, I want to confirm that these changes won't break the existing pathway, and tests don't exist so it's hard to evaluate this as a drive by reviewer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ferringb You're right. Changed the tlsConfig var to be a pointer instead: aa36ac4 ... nil should be supported by the cfssl client lib. (https://github.com/cloudflare/cfssl/blob/master/api/client/client.go#L138)

ferringb
ferringb suggested changes Jan 23, 2019
View reviewed changes
Copy link
Contributor

@ferringb ferringb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README.md should be updated w/ documentation for this new feature

@johanot
Copy link
Contributor Author

johanot commented Jan 30, 2019

@ferringb Is this sufficient docs? 55c595a

@ferringb
Copy link
Contributor

@johanot it is- pardon the delay in follow up.

@ferringb ferringb merged commit a88efd2 into cloudflare:master Jun 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terinjokes terinjokes terinjokes left review comments

@ferringb ferringb ferringb approved these changes

@kalbasit kalbasit kalbasit left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@johanot @kalbasit @adamtulinius @kisom @ferringb @terinjokes