Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automatic TLS #236

Merged
merged 32 commits into from
Aug 29, 2022
Merged

automatic TLS #236

merged 32 commits into from
Aug 29, 2022

Conversation

vito
Copy link
Owner

@vito vito commented Aug 26, 2022
edited
Loading

Bass now generates a "Bass CA" to the user's ~/.config/bass/tls/ and uses it to mint certificates for thunks that need them.

Use (with-tls thunk ./cert.pem ./key.pem) to have the runtime generate a TLS certificate and private key for the thunk at the specified paths. The certificate will be valid for the thunk addr's $host (same as the container's hostname).

  • The Buildkit host trusts the CA so that the host trusts its thunks.
  • The Buildkit host configures the CNI DNS addr in resolv.conf so that the host can resolve thunk addrs.
  • The shim installs the CA cert so that thunks trust each other.

The first two tasks make it possible to run an image registry thunk like Nixery or a pull-through registry mirror and use its addr for another thunk's image.

bonus material

  • fix race condition with zombie reaping1
  • bump buildkit to latest master now that necessary prs are merged

Footnotes

  1. side note: not 100% sure the GOMAXPROCS removal is needed, but I'm also not sure it was needed in the first place 🤷‍♂️

@vito
add tls cert generation and buildkit host-side dns
fe0a0ec 
it was either this or support host networking, which turned out to be a
rat's nest. this feels more generally useful, but the story is a little
incomplete; host->thunk uses a trusted CA, but there's no magic CA
trusting for thunk->thunk yet.
@vito
shim: remove runtime.GOMAXPROCS
6dd9dfc 
this was preventing reaping since that happens in a separate goroutine
@vito
buffer SIGCHLD channel
93bb9ac 
guessing this is the root cause for stuck zombies

signal.Notify expects the channel to never block
@vito
bump buildkit
f548e59
@vito
add test for TLS cert generation
7d83b95
@vito
bump nix vendorsha
f34a1dd
@vito
remove explicit .dns.bass
d6aa2f3 
this is handled by a search domain now
@vito
override dns address for test buildkit
ddff619
@vito vito added the enhancement New feature or request label Aug 26, 2022
@vito vito changed the title automatic TLS certs automatic TLS Aug 26, 2022
@vito
install cert before reaping
d7549bf 
cert installation requires spawning a child process, so we don't want to
be listening for SIGCHLD yet
@vito
fix permissions for test cert
c1e91c5
@vito
fix syntax
c521c94
@vito
refactor health check to prevent hanging
783eeb5 
previously if the thunk failed we'd keep waiting on the health check;
now it'll be interrupted
@vito
adjust perms for tls fixtures at test runtime
3523c00 
certstrap checks perms, can't exceed r--r--r--
@vito
try 1.1.1.1 first
7769e7a
@vito
add 1.1.1.1 to test buildkitd config
7ad1c02
@vito
use bass.lock in tests to prevent rate limit
d94a9d4
@vito
initialize tls depot in runtime
66f686b 
the runtime is the only thing that depends on basstls, but it relies on
it being initialized. so now it just initializes it too.

the alternative is making sure to initialize it everywhere the runtime
is used (docs, tests, irl), which feels messy.
@vito
debug: log container ip+hostname in shim
3448e66
@vito
log which IP was reached during polling
1e75126
@vito
persist certs created for thunks
e7eba72 
regenerating them all the time means we can't dedupe services
@vito vito merged commit e3ac8c5 into main Aug 29, 2022
@vito vito deleted the tls branch August 29, 2022 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vito