Add flag to set custom CA #50
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution! Looks good overall. I just had a few small suggestions.
@@ -42,6 +46,7 @@ import ( | |||
var ( | |||
discoveryInterval = flag.Duration("discovery-interval", 30*time.Second, "How often to refresh discovery cache to pick up newly-installed resources") | |||
informerRelist = flag.Duration("cache-flush-interval", 30*time.Minute, "How often to flush local caches and relist objects from the API server") | |||
caFile = flag.String("ca", "", "Verify certificates of TLS-enabled secure servers using this CA bundle") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we call the flag ca-bundle-file
so it's clear what it does when looking at a command line in isolation?
glog.Fatalf("Can't read CA file %s: %v", ca, err) | ||
} | ||
|
||
// an error is okay here, we willl only use the custom CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/willl/will/
} | ||
|
||
// an error is okay here, we willl only use the custom CA | ||
rootCAs, _ := x509.SystemCertPool() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer to save the err
and check both values. In general, we shouldn't make assumptions about the meaning of other returned values if err
is ever non-nil.
rootCAs, err := x509.SystemCertPool()
if err != nil || rootCAs == nil {
rootCAs = x509.NewCertPool()
}
@enisoc Thanks for the feedback. I've been traveling, but will address these soon. |
Looking forward to this change -- we will def use this. Some basic docs on how to set up would be helpful too. |
@bsherrod I think the original author of this PR wasn't able to finish it. I left it open as bait to see if anyone else wanted the same thing. Would you be interested in helping to clone this and get it finished? I'm focusing on integration tests for now and may not get to this for a while otherwise. |
I'll see if someone on my team can take it. |
I generally run all my services inside the cluster with certificates signed by an internal CA. I want to run my metacontroller hooks the same way. This PR adds a flag to allow adding a custom CA for certificate verification.
I wound up having to touch a lot more code that I liked. Ultimately, I needed to use a custom
http.Client
inhooks/webhook.go
, but I need to pass that through frommain.go
. I'm not sure this is the best approach, but wanted to offer it up for discussion.Thanks for the project! This allowed me to greatly simplify some custom controllers I maintain at my day job.