Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Certificate Authorities to wasmcloud host #72

Merged
merged 8 commits into from
Jul 17, 2024

Conversation

lxfontes
Copy link
Member

@lxfontes lxfontes commented Jul 11, 2024

what

Fixes #69

Requires wasmCloud/wasmCloud#2468

Allow passing one or more certificate authorities into wasmcloud via configmaps & secrets.

Example authorities:

apiVersion: v1
kind: ConfigMap
metadata:
  name: org-authorities
data:
  dontmountme: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----
  root.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----

---
apiVersion: v1
kind: Secret
metadata:
  name: email-authorities
stringData:
  email.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----
  notifications.crt: |
    -----BEGIN CERTIFICATE-----
    Custom CA certificate bundle.
    -----END CERTIFICATE-----

how

We pass configmaps as part of the wasmcloud host definition:

apiVersion: k8s.wasmcloud.dev/v1alpha1
kind: WasmCloudHostConfig
metadata:
  name: wasmcloud-host
spec:
  lattice: default
  version: "1.0.4"
  natsAddress: nats://nats-cluster.default.svc.cluster.local
  certificates:
    authorities:
      - name: org-wide-authorities
         configmap:
           name: org-authorities
      - name: partner-authorities
         secret:
           secretName: email-authorities

The authorities list follows the Volume convention as defined in https://pkg.go.dev/k8s.io/api/core/v1#VolumeSource

The operator will mount the org-authorities configmap into the wasmcloud host container under /wasmcloud/certificates/ca-org-wide-authorities. Notice we prefix the authority name with ca-.
The operator then scans the configmap for items that end in .crt ( certificate ) and append them to the arguments passed to wasmcloud host. Ex: if the configmap has the keys dontmountme and root.crt, only the root.crt will be passed into wasmcloud as --tls-ca-path /wasmcloud/certificates/ca-org-wide-authorities/root.crt.

The same applies to Secrets.

We also raise a reconciliation error in case the desired object is not defined or not found.

@lxfontes lxfontes force-pushed the lxfontes/onboarding-certificates branch from ec19510 to 0b036e2 Compare July 11, 2024 20:58
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
src/controller.rs Outdated Show resolved Hide resolved
lxfontes added 4 commits July 12, 2024 17:15
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
@lxfontes lxfontes marked this pull request as ready for review July 12, 2024 20:31
src/controller.rs Outdated Show resolved Hide resolved
@joonas
Copy link
Member

joonas commented Jul 15, 2024

I'm not entirely sure I understand the purpose of optional, would you be able to elaborate what it's intended for?

@lxfontes
Copy link
Member Author

lxfontes commented Jul 15, 2024

I'm not entirely sure I understand the purpose of optional, would you be able to elaborate what it's intended for?

Similar to optional in env mapping & volume mounting: It blocks reconciliation in case the desired object doesnt exist. The default behaviour is to yield a blank volume.

[edit]
thinking a bit more about it and can't think of a situation where we would want it to be optional=true.
lets chat cause this relates to relying on upstream structs or not ( https://pkg.go.dev/k8s.io/api/core/v1#ConfigMapVolumeSource ) as they always come with optional and defaultMode

lxfontes added 2 commits July 15, 2024 16:35
Signed-off-by: Lucas Fontes <[email protected]>
Signed-off-by: Lucas Fontes <[email protected]>
{
for authority in authorities.iter() {
let authority_name = authority.name.clone();
let volume_name = format!("ca-{authority_name}");
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the resulting volume name

let secret_name = match &secret_ref.secret_name {
Some(s) => s,
None => {
return Err(Error::CertificateError(format!(
Copy link
Member Author

@lxfontes lxfontes Jul 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when secret.secretName is not present. similar check for configmap.

@@ -31,6 +31,9 @@ pub enum Error {
#[error("Error retrieving secrets: {0}")]
SecretError(String),

#[error("Certificate error: {0}")]
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

specific error

@@ -187,6 +189,11 @@ fn default_nats_leafnode_port() -> u16 {
7422
}

#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
pub struct WasmCloudHostCertificates {
pub authorities: Option<Vec<Volume>>,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using upstream structs.

Signed-off-by: Lucas Fontes <[email protected]>
@joonas joonas merged commit 97f0c12 into wasmCloud:main Jul 17, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support loading additional CA certificates from ConfigMaps in WasmCloudHostConfig
3 participants