Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom CA #56

Open
kfox1111 opened this issue Oct 24, 2023 · 15 comments
Open

Custom CA #56

kfox1111 opened this issue Oct 24, 2023 · 15 comments
Assignees
Labels
enhancement New feature or request

Comments

@kfox1111
Copy link
Collaborator

Until k8s has a native way of adding CA's to the containers chain of trust, we need a way to do it on the spire containers anyway.

@marcofranssen
Copy link
Collaborator

Could you clarify this issue a bit further @kfox1111? It lacks context for anyone not been part of the discussion.

My assumption on what I think this is about as a solution:

We are doing this using cert-manager as a upstream ca to have that shared root of trust at the cluster level using a selfsigned CA on cert-manager level.

If you want trust beyond the cluster you could configure cert-manager to utilize PCA on Amazon e.g. to have a CA that is trusted beyond the cluster. Using cert-manager you can make any intermediate CAs on the cluster level, we do this for various components that need to manage their own certificates e.g. spire-ca.

What we can do is create an example of that if that is what this issue is about.

@kfox1111
Copy link
Collaborator Author

Other direction. When an organization has their own self signed CA, often for internal use, spire needs to talk to servers with that signature. For example, spire -> mysql, or spire -> federated http based endpoint. This means spire needs to be able to trust the CA for that organization. Currently thats only possible if the root chain of trust within the containers includes the orgs CA. This is currently not configurable.

There is not currently a native way to do this in k8s. It's being worked on though: kubernetes/enhancements#3257

There is a cert-manager subproject that could help in the mean time: https://cert-manager.io/docs/trust/trust-manager/ we could explore if we think that we want to add a dependency for this use case.

@kfox1111
Copy link
Collaborator Author

It looks like trust-manager just sets up the configmap though with the whole ca bundle. Its still left up to the user how to inject it into the containers. So we still likely need to add a feature to the chart in that case.

@marcofranssen
Copy link
Collaborator

It looks like trust-manager just sets up the configmap though with the whole ca bundle. Its still left up to the user how to inject it into the containers. So we still likely need to add a feature to the chart in that case.

You might be able to use this CA cert to create another cert-manager issuer based on that CA to do the Spire usecase.

@kfox1111
Copy link
Collaborator Author

It has nothing to do with issuers. it has to do with the container root chain of trust.

@marcofranssen
Copy link
Collaborator

It has nothing to do with issuers. it has to do with the container root chain of trust.

As a workarround you can use the cert-manager issuers to get the secrets created for each container until there is better official support in k8s.

@kfox1111
Copy link
Collaborator Author

how do you use cert manager to inject your corperate ca into the spire-server container?

@cccsss01
Copy link
Contributor

Happy to look into this.

@faisal-memon
Copy link
Collaborator

Thanks @cccsss01. Assigned to you.

@kfox1111
Copy link
Collaborator Author

Some relevant bits:

https://go.dev/src/crypto/x509/root_unix.go lines 19 - 25 define:

	// the SSL certificate file. If set this overrides the system default.
	certFileEnv = "SSL_CERT_FILE"

	// certDirEnv is the environment variable which identifies which directory
	// to check for SSL certificate files. If set this overrides the system default.
	// It is a colon separated list of directories.
	// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
	certDirEnv = "SSL_CERT_DIR"

Some places golang looks on various linux distro's:
https://go.dev/src/crypto/x509/root_linux.go

It would be nice if we could reuse this logic, but the container contains its own ca at the top of the list.... so it would take precident over all other distros....

We may want an enum of something like:
hostDistro: [redhat, centos, ubuntu, other]
so the user can specify what distro they have and we can mount in a path that is well known for that distro, with a fallthrough of letting the user mount their own with extraVolumes/extraVolumeMounts.

In any case, we set either SSL_CERT_DIR or SSL_CERT_FILE to tell spire-agent where to find it?

@cccsss01
Copy link
Contributor

cccsss01 commented Jan 29, 2024

I know hostPath is being used in other places, but it didn't look like the OIDC provider is using hostPath as of yet. I think it's worth investigating what could be done w/o hostPath, set envVariable to the external volume/mount?

@kfox1111
Copy link
Collaborator Author

I know hostPath is being used in other places, but it didn't look like the OIDC provider is using hostPath as of yet. I think it's worth investigating what could be done w/o hostPath, set envVariable to the external volume/mount?

the oidc provider shouldn't need it as its exporting only.

Think the two pieces that may need overrides are the agent and the server. The agent has hostpaths already, so those should be good to go.

the server probably should have its own configmap/secret I think, as it probably shouldn't ever have hostPath.

This task should probably be made into two pr's? one for the agent (higher priority) and one for the server (lower priority) I think?

@cccsss01
Copy link
Contributor

cccsss01 commented Jan 29, 2024

You'd know best I'm still getting caught up with whrre I left off, with the new csi driver and spiffe helper.

@edwbuck
Copy link
Collaborator

edwbuck commented Jun 18, 2024

@kfox1111 Your commentary here leaves the request unclear. Can we move from this discussion to some sort of proposed action?

@kfox1111
Copy link
Collaborator Author

We need a mechanism to allow the user to inject a ca file or ca path into the spire-agent and spire-server containers via configmap/secret

In the case of the spire-agent, the ability to hostPath in the hosts ca's would be useful as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants