-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support adding untrusted root CA certificates (corp certs) #5015
Conversation
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
Hi @laozc. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: laozc The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Can one of the admins verify this patch? |
This PR allows users to add root CA certificates in minikube VM. CA certificates in $HOME/.minikube/certs will be populated to system certificate store. Note: This requires a change to minikube ISO so you may need to delete and start a brand new minikube VM. Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
@minikube-bot OK to test |
8b58763
to
002956f
Compare
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
@laozc Thank you so much for this PR ! this is actually very exciting ! do you mind sharing if you have tested this for yourself? and I am very curious to find out how I could test it myself? is there a way I could simulate a corp environment root CA and first see it fail and then after this PR see it succeed ? |
I've verified the PR on both Linux and Windows (Hyper-V) myself. I used the PR against my own CA inside a private network (mynetwork.net), which runs a private Docker image server (docker.mynetwork.net) with TLS enabled.
There operations should not produce any errors like You may use a self-signed root CA, generate a server cert with the root and OpenSSL to verify this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR is wonderful. I just have small nitpicks.
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
I would love to see an integration tests for this, do you have scipts that I could run to exactly simulate those steps. |
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
@minikube-bot OK to test. |
Unfortunately except for generating SSL certificates, I don't have the script to launch a image repository with SSL certificate. |
This is great work ! I know many people whose lifes would be happier when this PR gets merged ! very thoughtful ! could you add a tutorial on the cert maybe in the site? btw this needs a rebase. I am excited to see this PR ! |
here is an example of tutorials file: |
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
Signed-off-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
@laozc This is beautiful work ! it looks good to be merged after the tests pass ! I feel impatient to merge it ! thank you for this ! |
@laozc do you happen to know the exact error messages that minikube crashes on if they don't add the corp certs ? I think it would be nice to add a Solution message to the user and advice them to read this great tutorial you wrote. something to be added here: like this one: https://github.com/kubernetes/minikube/blob/master/pkg/minikube/problem/err_map.go#L97 BTW please feel free to add your name to the tutorial on the site as the author ! you deserve all the credit . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Let me reproduce it and make another change for a more user-friendly error prompt later.
Thanks. Happy to help. |
This PR allows users to populate Corp Root CA certificates by adding certificates in PEM format to
~/.mininkube/certs
.These certificates will be added to system certificate store, which will be trusted by all processes running in the minikube VM.
Closes: #1408