Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add fields for TLS material to destination config #2249

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

meln5674
Copy link

@meln5674 meln5674 commented Nov 18, 2024

Adds optional fields tls_cert_file, tls_key_file, and tls_cafile to the configuration TOML to support connecting to TLS and mTLS podman API sockets.

This is in support of containers/podman#24601 to fix containers/podman#24583 .

@rhatdan
Copy link
Member

rhatdan commented Nov 19, 2024

If you are going to add more fields, you need to document them in the containers.conf file and the containers.conf.5.md file.

@meln5674 meln5674 force-pushed the feature/remote-tls branch 2 times, most recently from 645a6fb to 1b75c0b Compare November 19, 2024 15:47
Signed-off-by: Andrew Melnick <meln5674@kettering.edu>
@rhatdan
Copy link
Member

rhatdan commented Dec 5, 2024

@Luap99 PTAL
/approve

Copy link
Contributor

openshift-ci bot commented Dec 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: meln5674, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Dec 5, 2024
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please add some basic test to pkg/config/connections_test.go to ensure the config files can be parsed correctly and the serialization/deserialization works/looks as expected.

Before merging this here we should properly have a formal agreement on the podman PR that we like to merge TLS support. I don't think anyone objects there but I like to be sure.


**identity="~/.ssh/id_rsa**

Path to file containing ssh identity key

**tls_cert_file="~/certs/podman/tls.crt"**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see identity sets the same example with ~ but AFAIK our code will never expand this as we just pass it to the open syscall and normally the shell will expand ~ so this will most likely not work.

So this example might mislead some people to thinking it works, I would recommend using full paths in the example same for all the other cases here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I think you're right. Do you think it'd be a good idea to require consumers (e.g. podman) to expand the tilde to be consistent with the identity field? Or does the identity example also need to be updated?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just update the docs here, so far nobody has asked for it. And if you create the connections with podman system connection add --identity ~/... the shell already did it for us and we just see the full path anyway so I don't think it matters to users.

It only matters for users that manually write the connections in the config file but I am not aware of anyone doing this.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Done.

Signed-off-by: Andrew Melnick <meln5674@kettering.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support (m)TLS API socket
3 participants