-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide CA Certificates via cloud-init's ca_certs module #262
Provide CA Certificates via cloud-init's ca_certs module #262
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #262 +/- ##
==========================================
+ Coverage 24.82% 25.27% +0.44%
==========================================
Files 23 24 +1
Lines 1740 1812 +72
==========================================
+ Hits 432 458 +26
- Misses 1286 1329 +43
- Partials 22 25 +3
|
pkg/probes/curl/curl_json.go
Outdated
if cacert := userDataVariables["CACERT"]; cacert != "" { | ||
type CaCert struct { | ||
Trusted []string `yaml:"trusted"` | ||
} | ||
type CloudConfig struct { | ||
CaCerts CaCert `yaml:"ca_certs"` | ||
} | ||
|
||
cloudInit := CloudConfig{ | ||
CaCerts: CaCert{ | ||
Trusted: []string{ | ||
strings.TrimSpace(cacert), | ||
}, | ||
}, | ||
} | ||
|
||
cloudInitYamlBytes, cloudInitMarshalErr := yaml.Marshal(&cloudInit) | ||
if cloudInitMarshalErr != nil { | ||
return "", fmt.Errorf("unable to create cloud init config: %w", cloudInitMarshalErr) | ||
} | ||
|
||
userDataVariables["CACERT_RENDERED"] = strings.TrimSpace(string(cloudInitYamlBytes)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neat approach, and smart way of avoiding complicated YAML escaping
f18c2ff
to
786977a
Compare
b9ba37e
to
2ff842e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good stuff. I re-ran tests behind a transparent proxy to great success. I was then able to tweak my terraform testing scripts enough to get a non-transparent proxy working, and that's when I realized that curl does some extra SSL certificate checks when non-transparent proxies are specified (e.g., via osd-network-verifier egress --https-proxy="https://...
). So the suggestion below just tells curl to check the same trust store dir for proxy SSL certs as it does for "unproxied" (or transparently proxied) SSL certs.
Co-authored-by: Anthony Byrne <[email protected]>
2e680a3
to
9152c0f
Compare
Tested locally. Nice work! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abyrne55 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What does this PR do? / Related Issues / Jira
Currently, the curl flag we're using to provide a ca cert will only use the provided cert - we want to use both the supplied SSL cert and RHEL's OEM trust bundle. This change moves away from the curl flag and instead uses the
ca_certs
module of cloud-init.Resolves OSD-24353
Checklist
How to test this PR locally / Special Instructions
See OSD-24353 for setting up a transparent proxy. I used https://gitlab.cee.redhat.com/travi/osd-proxy-infra for setting up a non-transparent proxy.
I ran these new changes against
In all situations, I saw the expected results. Elaborating more on the split-cert situation, I set up a transparent proxy using mitmproxy with
--ignore-hosts registry.redhat.io:443
in the service file. When I ran network verifier without passing a capath, all URLs failed EXCEPT registry.redhat.ioLogs
With this change, the userdata template expands to something like the following: