Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Certificate Authorities to wasmcloud host #72

Merged
merged 8 commits into from
Jul 17, 2024
Merged

feat: Certificate Authorities to wasmcloud host #72

merged 8 commits into from
Jul 17, 2024

Conversation

lxfontes
Copy link
Member

@lxfontes lxfontes commented Jul 11, 2024
edited
Loading

what

Fixes #69

Requires wasmCloud/wasmCloud#2468

Allow passing one or more certificate authorities into wasmcloud via configmaps & secrets.

Example authorities:

apiVersion: v1
kind: ConfigMap
metadata:
  name: org-authorities
data:
  dontmountme: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----
  root.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----

---
apiVersion: v1
kind: Secret
metadata:
  name: email-authorities
stringData:
  email.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----
  notifications.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----

how

We pass configmaps as part of the wasmcloud host definition:

apiVersion: k8s.wasmcloud.dev/v1alpha1
kind: WasmCloudHostConfig
metadata:
  name: wasmcloud-host
spec:
  lattice: default
  version: "1.0.4"
  natsAddress: nats://nats-cluster.default.svc.cluster.local
  certificates:
    authorities:
      - name: org-wide-authorities
         configmap:
           name: org-authorities
      - name: partner-authorities
         secret:
           secretName: email-authorities

The authorities list follows the Volume convention as defined in https://pkg.go.dev/k8s.io/api/core/v1#VolumeSource

The operator will mount the org-authorities configmap into the wasmcloud host container under /wasmcloud/certificates/ca-org-wide-authorities. Notice we prefix the authority name with ca-.
The operator then scans the configmap for items that end in .crt ( certificate ) and append them to the arguments passed to wasmcloud host. Ex: if the configmap has the keys dontmountme and root.crt, only the root.crt will be passed into wasmcloud as --tls-ca-path /wasmcloud/certificates/ca-org-wide-authorities/root.crt.

The same applies to Secrets.

We also raise a reconciliation error in case the desired object is not defined or not found.

@lxfontes
feat: Customize Certificate Authorities
0b036e2 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes lxfontes force-pushed the lxfontes/onboarding-certificates branch from ec19510 to 0b036e2 Compare July 11, 2024 20:58
lxfontes
lxfontes commented Jul 11, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 11, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
joonas
joonas reviewed Jul 12, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
@lxfontes
handling 'optional'
61f3554 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes
falling back to default if needed
ffec6b8 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes
changing function signature
cbbfa29 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes
better 'format'
6cbb314 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes lxfontes marked this pull request as ready for review July 12, 2024 20:31
joonas
joonas reviewed Jul 15, 2024
View reviewed changes
src/controller.rs Outdated Show resolved Hide resolved
@joonas
Copy link
Member

joonas commented Jul 15, 2024
edited
Loading

I'm not entirely sure I understand the purpose of optional, would you be able to elaborate what it's intended for?

@lxfontes
Copy link
Member Author

lxfontes commented Jul 15, 2024
edited
Loading

I'm not entirely sure I understand the purpose of optional, would you be able to elaborate what it's intended for?

Similar to optional in env mapping & volume mounting: It blocks reconciliation in case the desired object doesnt exist. The default behaviour is to yield a blank volume.

[edit]
thinking a bit more about it and can't think of a situation where we would want it to be optional=true.
lets chat cause this relates to relying on upstream structs or not ( https://pkg.go.dev/k8s.io/api/core/v1#ConfigMapVolumeSource ) as they always come with optional and defaultMode

@lxfontes
Using upstream structs
e275b4f 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@lxfontes
addressing nits
f6af671 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
lxfontes
lxfontes commented Jul 15, 2024
View reviewed changes
src/controller.rs
{
for authority in authorities.iter() {
let authority_name = authority.name.clone();
let volume_name = format!("ca-{authority_name}");
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the resulting volume name

lxfontes
lxfontes commented Jul 15, 2024
View reviewed changes
src/controller.rs
let secret_name = match &secret_ref.secret_name {
Some(s) => s,
None => {
return Err(Error::CertificateError(format!(
Copy link
Member Author

@lxfontes lxfontes Jul 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when secret.secretName is not present. similar check for configmap.

lxfontes
lxfontes commented Jul 15, 2024
View reviewed changes
src/lib.rs
@@ -31,6 +31,9 @@ pub enum Error {
#[error("Error retrieving secrets: {0}")]
SecretError(String),

#[error("Certificate error: {0}")]
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

specific error

lxfontes
lxfontes commented Jul 15, 2024
View reviewed changes
crates/types/src/v1alpha1/wasmcloud_host_config.rs
@@ -187,6 +189,11 @@ fn default_nats_leafnode_port() -> u16 {
7422
}

#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
pub struct WasmCloudHostCertificates {
pub authorities: Option<Vec<Volume>>,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using upstream structs.

@lxfontes
checking for valid types
65bbf5f 
Signed-off-by: Lucas Fontes <lucas@cosmonic.com>
@joonas joonas merged commit 97f0c12 into wasmCloud:main Jul 17, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joonas joonas joonas left review comments

@protochron protochron protochron approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support loading additional CA certificates from ConfigMaps in WasmCloudHostConfig
3 participants
@lxfontes @joonas @protochron