Add support for FQDN K8s API servers and Root CA chains #144
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add [CAStore](https://github.com/elixir-mint/castore) dependency for root CAs * This adds support for k8s servers using TLS certs with a custody chain back to a root certificate authority. i.e. no intermediate certificates * This would be typical of any k8s server with a public API available at a FQDN with a TLS cert whose chain of custody is covered by the root certificate authorities. * Sets the default ca_provider on K8s.Conn to CAStore * Sets the default cacertfile parameter for ssl_options to `conn.ca_provider` * Update `conn_test.exs` assertions for ssl_options * This makes the default when not using an intermediate certificate chain to use the root CA certificate chain.
mruoss
approved these changes
Mar 8, 2022
mix.exs
Outdated
| @@ -35,6 +35,7 @@ defmodule K8s.MixProject do | |||
| # Run "mix help deps" to learn about dependencies. | |||
| defp deps do | |||
| [ | |||
| {:castore, ">= 0.0.0"}, | |||
There was a problem hiding this comment.
Why not {:castore, "~> 0.1.0"}?
There was a problem hiding this comment.
I think you're right it'd probably be better to pin to the minor version. At the moment they are functionally equivalent all releases are 0.1.X, but we could protect against any major API changes by pinning it to the minor version. Let me update that real quick.
thephw
added a commit
to thephw/k8s
that referenced
this pull request
May 19, 2022
- Ref: coryodaniel#144 - I missed a codepath in the original PR that makes this not work with a call from K8s.Conn.from_file when using a FQDN for the server url.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Our k8s API servers use a fully qualified domain name and TLS certs from LetsEncrypt. In the current implementation no root CA certfiles are provided to HTTPoison. This causes an error when trying to configure and use a connection like below with
:verify_peer. This is a bit unexpected.Prior Art
Looked at a handful of other elixir libraries to see how they were managing root CA files. Most of them were using CAStore
Solution
Add CAStore dependency and integrate
cacertfileoption into K8s.Conn withCAStore.file_path()as the default.Changelog
conn. cacertfileconn_test.exsassertions for ssl_options