-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Certificate Authorities to wasmcloud host #72
feat: Certificate Authorities to wasmcloud host #72
Conversation
Signed-off-by: Lucas Fontes <[email protected]>
ec19510
to
0b036e2
Compare
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
I'm not entirely sure I understand the purpose of |
Similar to [edit] |
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
{ | ||
for authority in authorities.iter() { | ||
let authority_name = authority.name.clone(); | ||
let volume_name = format!("ca-{authority_name}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the resulting volume name
let secret_name = match &secret_ref.secret_name { | ||
Some(s) => s, | ||
None => { | ||
return Err(Error::CertificateError(format!( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when secret.secretName
is not present. similar check for configmap.
@@ -31,6 +31,9 @@ pub enum Error { | |||
#[error("Error retrieving secrets: {0}")] | |||
SecretError(String), | |||
|
|||
#[error("Certificate error: {0}")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
specific error
@@ -187,6 +189,11 @@ fn default_nats_leafnode_port() -> u16 { | |||
7422 | |||
} | |||
|
|||
#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)] | |||
pub struct WasmCloudHostCertificates { | |||
pub authorities: Option<Vec<Volume>>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using upstream structs.
Signed-off-by: Lucas Fontes <[email protected]>
what
Fixes #69
Requires wasmCloud/wasmCloud#2468
Allow passing one or more certificate authorities into wasmcloud via configmaps & secrets.
Example authorities:
how
We pass configmaps as part of the wasmcloud host definition:
The
authorities
list follows the Volume convention as defined in https://pkg.go.dev/k8s.io/api/core/v1#VolumeSourceThe operator will mount the
org-authorities
configmap into the wasmcloud host container under/wasmcloud/certificates/ca-org-wide-authorities
. Notice we prefix the authority name withca-
.The operator then scans the configmap for items that end in
.crt
( certificate ) and append them to the arguments passed to wasmcloud host. Ex: if the configmap has the keysdontmountme
androot.crt
, only theroot.crt
will be passed into wasmcloud as--tls-ca-path /wasmcloud/certificates/ca-org-wide-authorities/root.crt
.The same applies to Secrets.
We also raise a reconciliation error in case the desired object is not defined or not found.