Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

root-cas setting #371

Merged
merged 8 commits into from
May 22, 2024
Merged

root-cas setting #371

merged 8 commits into from
May 22, 2024

Conversation

jrobsonchase
Copy link
Collaborator

@jrobsonchase jrobsonchase commented May 2, 2024
edited by OfTheDelmer

closes: #369

What

Utilizes the trusted or host CA as the source of truth via a helm install flag.

How

Takes an install option for --set rootCAs=host and plumb the isHostCA check into the caCerts for it to just get the host certs.

Verification

  • Build 2048 image, copying in cert and updating certs, apply changes
  • Set --set rootCAs host and make deploy, no controller errors ✅ and can play example
  • Set --set rootCAs host with canonical 2048 example without cert gives errors in controller
  • Set --set rootCAs trusted no errors and plays 2048 as expected
  • no set plays as expected

@github-actions github-actions bot added area/controller Issues dealing with the controller area/helm-chart Issues dealing with the helm chart labels May 2, 2024
@jrobsonchase
Copy link
Collaborator Author

Looks to be working as expected:

failed to reconnect session     {"obj": "csess", "id": "0eb6ded7abdf", "err": "failed to send authentication request: tls: failed to verify certificate: x509: certificate signed by unknown authority"}

with the standard agent ingress, which uses the internal ngrok CA rather than Let's Encrypt.

@OfTheDelmer OfTheDelmer changed the title wip: host-ca setting host-ca setting May 17, 2024
@OfTheDelmer OfTheDelmer marked this pull request as ready for review May 17, 2024 14:24
@OfTheDelmer OfTheDelmer requested a review from a team as a code owner May 17, 2024 14:24
@bobzilladev
Copy link
Member

From meeting today:

  1. Will instead add a root_cas option with similar semantics to the agent: https://ngrok.com/docs/ngrok-agent/config/#root_cas
  2. The default will be internal and use the cert baked into ngrok-go. Caveat: if the special local directories exist and have certs, those will be used instead (same behavior as the controller currently uses).
  3. The host option will use host certs, as this PR makes possible.
  4. Any other values for root_cas will throw an error. In the future we may build functionality to refer to a k8s object here.

A table @jrobsonchase made of options, for posterity. We're going with the middle option:
2024-05-17-105728_691x276_scrot

bobzilladev
bobzilladev reviewed May 21, 2024
View reviewed changes
cmd/main.go Outdated Show resolved Hide resolved
helm/ingress-controller/README.md Outdated Show resolved Hide resolved
helm/ingress-controller/README.md Outdated Show resolved Hide resolved
pkg/tunneldriver/driver.go Outdated Show resolved Hide resolved
@OfTheDelmer OfTheDelmer changed the title host-ca setting root-cas setting May 22, 2024
@OfTheDelmer OfTheDelmer merged commit b8537a7 into main May 22, 2024
@OfTheDelmer OfTheDelmer deleted the josh/host-ca branch May 22, 2024 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OfTheDelmer OfTheDelmer OfTheDelmer left review comments

@bobzilladev bobzilladev bobzilladev approved these changes

Assignees
No one assigned
Labels
area/controller Issues dealing with the controller area/helm-chart Issues dealing with the helm chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Need the ability to specify the equivalent of root_cas: host in the ingress controller
3 participants
@jrobsonchase @bobzilladev @OfTheDelmer