Skip to content
This repository has been archived by the owner on Jul 22, 2022. It is now read-only.

Add flag to set custom CA #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add flag to set custom CA #50

wants to merge 1 commit into from

Conversation

bakins
Copy link

@bakins bakins commented May 25, 2018

I generally run all my services inside the cluster with certificates signed by an internal CA. I want to run my metacontroller hooks the same way. This PR adds a flag to allow adding a custom CA for certificate verification.

I wound up having to touch a lot more code that I liked. Ultimately, I needed to use a custom http.Client in hooks/webhook.go, but I need to pass that through from main.go. I'm not sure this is the best approach, but wanted to offer it up for discussion.

Thanks for the project! This allowed me to greatly simplify some custom controllers I maintain at my day job.

@enisoc enisoc self-assigned this May 25, 2018
enisoc
enisoc reviewed May 29, 2018
View reviewed changes
Copy link

@enisoc enisoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! Looks good overall. I just had a few small suggestions.

main.go
@@ -42,6 +46,7 @@ import (
var (
discoveryInterval = flag.Duration("discovery-interval", 30*time.Second, "How often to refresh discovery cache to pick up newly-installed resources")
informerRelist = flag.Duration("cache-flush-interval", 30*time.Minute, "How often to flush local caches and relist objects from the API server")
caFile = flag.String("ca", "", "Verify certificates of TLS-enabled secure servers using this CA bundle")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we call the flag ca-bundle-file so it's clear what it does when looking at a command line in isolation?

main.go
glog.Fatalf("Can't read CA file %s: %v", ca, err)
}

// an error is okay here, we willl only use the custom CA
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/willl/will/

main.go
}

// an error is okay here, we willl only use the custom CA
rootCAs, _ := x509.SystemCertPool()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to save the err and check both values. In general, we shouldn't make assumptions about the meaning of other returned values if err is ever non-nil.

rootCAs, err := x509.SystemCertPool()
if err != nil || rootCAs == nil {
  rootCAs = x509.NewCertPool()
}

@bakins
Copy link
Author

bakins commented Jun 11, 2018

@enisoc Thanks for the feedback. I've been traveling, but will address these soon.

@enisoc enisoc mentioned this pull request Sep 5, 2018
Closed
@bsherrod
Copy link

Looking forward to this change -- we will def use this. Some basic docs on how to set up would be helpful too.

@enisoc
Copy link

enisoc commented Jan 18, 2019

@bsherrod I think the original author of this PR wasn't able to finish it. I left it open as bait to see if anyone else wanted the same thing. Would you be interested in helping to clone this and get it finished? I'm focusing on integration tests for now and may not get to this for a while otherwise.

@bsherrod
Copy link

I'll see if someone on my team can take it.

@grzesuav grzesuav mentioned this pull request Nov 28, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@enisoc enisoc enisoc left review comments

Assignees

@enisoc enisoc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bakins @bsherrod @enisoc