-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to inject custom certificate authorities #41
Comments
Blocked, waiting for the new architecture to be in place |
Configmap keys can only contain alphanumeric characters, sources.yaml: |
source_authorities:
"internal-registry.dev.my-company.com": /sources/<sha256 of URI>
"other-internal-registry.dev.my-company.com:5001": /sources/<sha256 of URI>
<sha256 of URI>: <pem cert1>
<sha256 of URI>: <pem cert2> And take care to mount the cert files as follows, or similar:
|
That sounds good to me, thanks for having noticed that! |
@kubewarden/kubewarden-developers the more I go with it, the less I like it. I would like to change policy-server as explained in option 3 below. I have an implementation: see viccuad@680433b. That implementation currently leaks entries in sha512 in the configmap. See the FIXME On an update to the PolicyServer confimap, we have: data:
b0e018a10878ee63f1dad41be8a972d3c1b23a0109b7ef671589acda0abed0d5: pem cert 1
fe7faa899a162befbe70285b92a2ee5a57dac329720f2adfde184b4e267ac2bc: pem cert 2
policies.yml: '{}'
sources.yml: '{"source_authorities":{"host.k3d.internal:5000":"/sources/b0e018a10878ee63f1dad41be8a972d3c1b23a0109b7ef671589acda0abed0d5","host.k3d.internal:999":"/sources/fe7faa899a162befbe70285b92a2ee5a57dac329720f2adfde184b4e267ac2bc"}}'
kind: ConfigMap Those sha512 entries cannot be easily removed on reconciling an update. Options that I see:
|
We went with option 3, implemented in: turns out that rust's serde has a limitation, and either we remove the Went with the second option, see: This changes the sources.yml format to: ---
insecure_sources:
- "registry.dev.my-corp.com"
- "registry-2.dev.my-corp.com:5001"
source_authorities:
"registry.pre.my-corp.com":
- type: PathBased
path: "/path/to/ca.pem"
"registry-2.pre.my-corp.com:5001":
- type: PathBased
path: "/path/to/ca.pem"
- type: PathBased
path: "/path/to/ca.der"
- type: DataBased
data: |
our PEM encoded cert TODO:
|
Note: |
Doh, that's a good point. Edited the previous comment to reflect it. |
Missing approvals for kubewarden/helm-charts#43, which unblocks the docs. With that, the card could be closed. |
Closing, all PRs merged, docs live, new releases live, sanity tests performed on the kubewarden chart repo. |
Some users might want to pull policies from https/OCI registries that are secured using self-signed certificates.
This can be done by starting the Policy Server process with a specially crafted
sources.yml
file.The format of the file is described here.
To address this issue, we will have to produce a
sources.yml
file that looks like that:Design
We will extend the Policy Server CRD to have a new attribute named
sourceAuthorities
. This attribute is a map with:The user can change at any time the value of the
sourceAuthorities
attribute, this will lead to a rollout of the PolicyServer Deployment.Behind the scenes, the controller will update a ConfigMap that has a key named
sources.yml
, with a string as value. The string will hold the contents of thesources.yml
file.The ConfigMap will also have one entry per certificate specified with:
This ConfigMap is then mounted into the Policy Server Pods. The Policy Server Pod Template is updated to make use of this
sources.yml
file.We can probably extend the already existing ConfigMap that each Policy Server already uses to store the contents of the
policies.yml
file.Given the following
sourceAuthorities
:The ConfigMap created by the controller will be the following one:
Acceptance criteria
sourceAuthorities
sourceAuthorities
attributeThe text was updated successfully, but these errors were encountered: