New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver #45567
Conversation
@GrahamcOfBorg test certmgr.command certmgr.systemd |
Success on aarch64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: tests.certmgr.command, tests.certmgr.systemd Partial log (click to expand)
|
Failure on aarch64-linux (full log) Attempted: tests.certmgr.command, tests.certmgr.systemd Partial log (click to expand)
|
df46b30
to
d111bfe
Compare
Success on x86_64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
While I realize that it's an unfortunate situation that this isn't merged yet, since the revamped k8s module depends on it, I think we should have at least some indication that upstream is going to actually be merging this, and not just a fetchpatch from an open PR, before we include it under the "certmgr" name and not a clearly forked version. |
d111bfe
to
df8a698
Compare
Success on aarch64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: certmgr Partial log (click to expand)
|
I opened cloudflare/certmgr#53 to attempt to make it more clear whether |
I'll also drop in a reference to Jetstack's cert manager which would appear to support the self-signed certs, based on cert-manager/cert-manager#84 and cert-manager/cert-manager#637 -- assuming that the broader requirements could potentially be met by that effort as well. |
df8a698
to
4602b43
Compare
To get the kubernetes refactor merged for 19.03, I've added a separate attribute for the certmgr package with the patch and added a package option to the certmgr service. Also I've rebased on top of current master. |
Motivation for this change
Without this patch, it is not possible to use a self-signed certificate for a remote cfssl server without certmgr rejecting the cert as untrusted.
This patch allows for the user to configure (optionally) a trusted CA-cert as part of any certmgr cert-spec.
See also: cloudflare/certmgr#51
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)