feat(spin/certs): automate creating the default CA bundle secret #207
Conversation
This commit injects a default CA bundle in the root filesystem for every Spin application pod created, so host components can execute TLS operations. Signed-off-by: Radu Matei <[email protected]>
adamreese
requested review from
calebschoepp,
endocrimes,
bacongobbler and
michelleN
as code owners
There was a problem hiding this comment.
Great work Adam.
There is no owner reference on the secret which means it will persist unless manually deleted. Meaning that if spin-operator is removed from the cluster it will not be included in the cascading deletion.
Mind elaborating on this design choice. My gut feeling is that we would want it do be cleaned up automatically.
|
@calebschoepp Having no owner reference is because there isn't anything to assign ownership to. The secret is global for the namespace so it can't be owned by specific applications. |
Could it be owned by the operator so that if the operator is removed the certs are removed too? |
|
The operator isn't aware of it's own kubernetes deployment. It's just a running binary. |
internal/cacerts/cacerts.go
Outdated
| // Package cacerts provides an embedded CA root certificates bundle. | ||
| package cacerts | ||
|
|
||
| //go:generate curl -sfL https://curl.se/ca/cacert.pem -o ca-certificates.crt |
There was a problem hiding this comment.
LazyQ: What license are these under? if it involves attribution are we correctly doing so?
There was a problem hiding this comment.
Great question. It's built off the mozilla cert bundle which is under Mozilla Public License
There was a problem hiding this comment.
I think this means the cacerts package also has to be MPL-2.0 (because we embed the MPL-2.0 data in the sources), and MPL-2.0 is (albeit weakly) copyleft.
There was a problem hiding this comment.
I'm not exactly sure what we need to do for this one.
There was a problem hiding this comment.
I think a comment on the variable that the contents are MPL-2.0 licensed might be good enough? (and having a link to the cert bundle is helpful for understanding what they are anyway)
adamreese
force-pushed
the
feat/inject-ca
branch
2 times, most recently
from
a80b180 to
3d2a27f
Compare
adamreese
force-pushed
the
feat/inject-ca
branch
2 times, most recently
from
b5f092e to
e69223b
Compare
|
RE: #207 (comment) Disclaimer: I am not a lawyer. I think this covers the section under the MPL-2.0 terms for "Distribution of Source Form" (Section 3.1 of the MPL-2.0), but it does not cover "Distribution of Executable Form". Section 3.2 of the MPL 2.0 states the following:
Given that our users would refer to the LICENSE file provided with the executable, I think we need to include it there as well. Either that or include a NOTICE file referring to the MPL-2.0 license and its usage within spin-operator. |
|
Hmm.. Re-reading that section, it doesn't state you need to sub-license the project or include its terms in a NOTICE file. You just need to make the "recipient of the Executable Form" aware of how to receive the source code. I think we're good on that front... But again, not a lawyer. :) |
| // | ||
| // curl -sfL https://curl.se/ca/cacert.pem -o ca-certificates.crt | ||
|
|
||
| import _ "embed" |
There was a problem hiding this comment.
TIL this is a part of the standard library now. That's awesome
| // ConstructVolumeMountsForApp introspects the application and generates | ||
| // any required volume mounts. A generated runtime secret is mutually | ||
| // exclusive with a user-provided secret - this is to require _either_ a | ||
| // manual runtime-config or a generated one from the crd. | ||
| func ConstructVolumeMountsForApp(ctx context.Context, app *spinv1alpha1.SpinApp, generatedRuntimeSecret string) ([]corev1.Volume, []corev1.VolumeMount, error) { | ||
| func ConstructVolumeMountsForApp(ctx context.Context, app *spinv1alpha1.SpinApp, generatedRuntimeSecret, caSecretName string) ([]corev1.Volume, []corev1.VolumeMount, error) { |
There was a problem hiding this comment.
I wish there was a way to make caSecretName use an Option<string> instead of an empty string to make it more clear to the caller that this is an optional value. I've been spoiled by Rust.
There was a problem hiding this comment.
we can always use *string in golang. (before you ask Even I am not sure if I am kidding or being serious here.)
Supersedes spinkube#184 Automate the creation of a secret for a default CA root certificate bundle. A secret is created in each namespace that contains a spin application. If a secret already exists with the name `spin-ca` it will not be modified. This allows the default `spin-ca` secret to be overridden by the user. The embedded CA bundle is fetched from https://curl.se/ca/cacert.pem and can be updated to the latest by running `go generate ./...`. There is no owner reference on the secret which means it will persist unless manually deleted. Meaning that if spin-operator is removed from the cluster it will not be included in the cascading deletion. Signed-off-by: Adam Reese <[email protected]>
Supersedes #184
Automate the creation of a secret for a default CA root certificate bundle. A secret is created in each namespace that contains a spin application. If a secret already exists with the name
spin-cait will not be modified. This allows the defaultspin-casecret to be overridden by the user.The embedded CA bundle is fetched from https://curl.se/ca/cacert.pem and can be updated to the latest by running
go generate ./....There is no owner reference on the secret which means it will persist unless manually deleted. Meaning that if spin-operator is removed from the cluster it will not be included in the cascading deletion.