-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mtls over grpc #291
base: main
Are you sure you want to change the base?
mtls over grpc #291
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
Co-authored-by: Kaloyan <36224699+krucod3@users.noreply.github.com>
added warning output that the ank-server is started in insecure mode used wildcards for SAN of agent default cert generation
How is it with requirements? I see neither new requirements nor mapping existing requirements to the new code and tests. This surprises me. |
Co-authored-by: Rostislav Matura <35850677+maturar@users.noreply.github.com>
There is no surprise, as this PR is not ready for review yet, so the requirements will come. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reviewed the implementation. SwDD needs to be reviewed yet.
agent/src/runtime_connectors/podman_kube/podman_kube_runtime.rs
Outdated
Show resolved
Hide resolved
|
||
Status: approved | ||
|
||
When the root, the server's certificate and the key is provided upon start of the gRPC server, the gRPC server shall use the provided certificates and the key to activate mTLS for the gRPC communication between the involved parties. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand the beginning "When the root,...". Do you mean when the user is running Ankaios (server or agent) as root?
This is valid also for another requirements below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a listing "the root, the server's certificate and the key ...". But still there is a mistake, it should be "the root, the server's certificate and the key are" instead of "the root, the server's certificate and the key is"
|
||
Rationale: | ||
|
||
To avoid complexity, coming with mTLS configuration e.g. certificates generation and management, during development phase, mTLS can be activated on demand. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to write it with every requirement? What about writing this rationale to the SwDD as design decision (and remove it from here)?
|
||
Rationale: | ||
|
||
The advantage of using a PEM file is due to its text-based, human-readable format, making it more versatile, as it can contain certificates, private keys, public keys and even certificate chain, compared to DER. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about writing this as design decision?
Before this change ca-key.pem has been stored in /etc/ankaios/certs but as it is not needed during runtime, the generation has been changed to store it in the local directory. Issue-Id: #6
I have tested the tutorial "Setting up Ankaios with mTLS" again and when starting the ank-server it fails with the error message:
That message does not make sense. The only secret parts of the certificates are the key files, i.e. those files as passed with the The rest of the files, i.e. those which are passed with |
removed expect usage
Permission check is now done only for key_pem file! |
Issues: #6
Definition of Done
The PR shall be merged only if all items mentioned in CONTRIBUTING.md have been followed. In case an item is not applicable as described, please provide a short explanation in the description.