Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow using custom CA certificates #900

Open
mpepping opened this issue Oct 18, 2023 · 2 comments
Open

Allow using custom CA certificates #900

mpepping opened this issue Oct 18, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@mpepping
Copy link

Summary

As "an operator"
I want "to use my custom CA bundle with K8up"
So that "I can use a trusted, verified TLS connection to my backup backend"

Context

To handle TLS connections that use a custom/self-signed CA as certificate issuer, we now create our own K8up container images that includes our own certificates. This allows us to have a verified connection to our S3 compatible backup backend.

We would prefer to have an option in the K8up container image itself to refer a custom CA bundle. This is supported in Restic via the --cacert flag.

Effectively, we want to appoint a CA bundle file via an env.var or config file for the K8s Pod.

Out of Scope

Further links

Acceptance Criteria

No response

Implementation Ideas

  • Referring a CA cert via the Object specification
  • Golang's SSL_CERT_FILE variable
@mpepping mpepping added the enhancement New feature or request label Oct 18, 2023
@mpepping
Copy link
Author

mpepping commented Oct 18, 2023
edited
Loading

Just FYI; This is roughly how we build a custom image now.

FROM registry.example.com/k8up-io/k8up:v2.7.1

USER root

RUN \
  apk add --no-cache openssl &&\
  /usr/bin/curl "http://pki.example.com/RootCACert.crt" |\
    /usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/root.crt; \
  /usr/bin/curl "http://pki.example.com/intermediate.crt" |\
    /usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/intermediate.crt; \
  /usr/bin/curl "http://pki.example.com/myissuer.crt" |\
    /usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/myissuer.crt; \
  /usr/sbin/update-ca-certificates

USER 6553

@poyaz
Copy link
Contributor

poyaz commented Nov 20, 2023

Hi

We have the same problem with k8up and our s3 server runs as TLS with a self-sign certificate. We would like to use the feature for mounting certificate files.

I am interested in developing this feature. I'd like to add these features:

  1. First, add options for using extraMount options to add certificate files
  2. Second, add env (or s3 parse URI) for TLS insecure

Reference:
#792

@Kidswiss @tobru

@poyaz poyaz mentioned this issue Mar 23, 2024
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpepping @poyaz