Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver #45567

Merged
merged 3 commits into from Jan 30, 2019
Merged

certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver #45567

merged 3 commits into from Jan 30, 2019

Conversation

johanot
Copy link
Contributor

@johanot johanot commented Aug 24, 2018

Motivation for this change

Without this patch, it is not possible to use a self-signed certificate for a remote cfssl server without certmgr rejecting the cert as untrusted.

This patch allows for the user to configure (optionally) a trusted CA-cert as part of any certmgr cert-spec.

See also: cloudflare/certmgr#51

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@johanot
Copy link
Contributor Author

johanot commented Aug 24, 2018

@GrahamcOfBorg test certmgr.command certmgr.systemd

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

/nix/store/2ninp236pfz63y0hvxpicbl8lzzjcmii-certmgr-1.6.1-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin
shrinking /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin
checking for references to /build in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin...
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
/nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tests.certmgr.command, tests.certmgr.systemd

Partial log (click to expand)

syncing
machine: running command: sync
machine: exit status 0
test script finished in 197.18s
cleaning up
killing machine (pid 600)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/bqpzcjwjs6islx9hmdzzq1b99df7ga40-vm-test-run-certmgr-command
/nix/store/vwys7jlxylhbl5dc1grgm9lvxzcwkgdh-vm-test-run-certmgr-systemd

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: tests.certmgr.command, tests.certmgr.systemd

Partial log (click to expand)

machine: running command: systemctl --no-pager show "nginx.service"
machine: exit status 0
error: unit ‘nginx.service’ reached state ‘failed’
unit ‘nginx.service’ reached state ‘failed’
cleaning up
killing machine (pid 631)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
builder for '/nix/store/viz555bk4g0dkdmwhyy0dgnni9vwsg03-vm-test-run-certmgr-systemd.drv' failed with exit code 255
error: build of '/nix/store/viz555bk4g0dkdmwhyy0dgnni9vwsg03-vm-test-run-certmgr-systemd.drv' failed

@johanot johanot mentioned this pull request Aug 27, 2018
Merged
9 tasks
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin
shrinking /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin
checking for references to /build in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin...
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
/nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin
shrinking /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin
checking for references to /build in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin...
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
/nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin

@srhb
Copy link
Contributor

srhb commented Aug 30, 2018

While I realize that it's an unfortunate situation that this isn't merged yet, since the revamped k8s module depends on it, I think we should have at least some indication that upstream is going to actually be merging this, and not just a fetchpatch from an open PR, before we include it under the "certmgr" name and not a clearly forked version.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin
shrinking /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin
checking for references to /build in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin...
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
/nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin
shrinking /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin
checking for references to /build in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin...
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
/nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin

@vielmetti
Copy link

I opened cloudflare/certmgr#53 to attempt to make it more clear whether certmgr will support self-signed certs.

@vielmetti
Copy link

I'll also drop in a reference to Jetstack's cert manager which would appear to support the self-signed certs, based on cert-manager/cert-manager#84 and cert-manager/cert-manager#637 -- assuming that the broader requirements could potentially be met by that effort as well.

@fpletz
Copy link
Member

fpletz commented Jan 24, 2019

To get the kubernetes refactor merged for 19.03, I've added a separate attribute for the certmgr package with the patch and added a package option to the certmgr service. Also I've rebased on top of current master.

@fpletz fpletz merged commit 72f324d into NixOS:master Jan 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil Awaiting requested review from infinisil

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@johanot @GrahamcOfBorg @srhb @vielmetti @fpletz