Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support loading additional CA certificates from ConfigMaps in WasmCloudHostConfig #69

Closed
joonas opened this issue Jul 9, 2024 · 4 comments · Fixed by #72
Closed

Support loading additional CA certificates from ConfigMaps in WasmCloudHostConfig #69

joonas opened this issue Jul 9, 2024 · 4 comments · Fixed by #72

Comments

@joonas
Copy link
Member

joonas commented Jul 9, 2024

Once wasmCloud/wasmCloud#2460 is implemented, we need to add support for configuring the new option with certificates provided as ConfigMaps (for an example of what the ConfigMap might look like, see the OpenShift documentation) and mounted into the host as volumes.

@joonas joonas changed the title Support loading additional CA certificates from ConfigMaps Support loading additional CA certificates from ConfigMaps in WasmCloudHostConfig Jul 9, 2024
@LuukSt
Copy link

LuukSt commented Jul 11, 2024

Mounting a volume in the example given will require a mount for each file if you need to provide muliple CA bundle file (or an item/key specification for each file). It could be considered to mount the configmap without key specification, in which case all files in the configmap will be mounted without further specification required.
I guess this also relates to the comments regarding "Single Flag for Certificate Loading" by liamwh in issue wasmCloud/wasmCloud#2460

@joonas
Copy link
Member Author

joonas commented Jul 11, 2024

Hi @LuukSt, appreciate the feedback!

Just a couple of notes to clarify how we were imagining this could work in terms of your feedback:

Mounting a volume in the example given will require a mount for each file if you need to provide muliple CA bundle file (or an item/key specification for each file).

So the idea is that you should be able to pass in a ConfigMap with one or more files inside of it (stored as .crt in PEM format) that would then all be projected to a directory as a Volume Mount by the operator.

The operator would then pass this directory (or in the case of an individual file, perhaps just the individual file) as an argument to the --tls-ca-path flag described in wasmCloud/wasmCloud#2460, which will support loading the CAs from either an individual file (as in --tls-ca-path /data/certs/my-ca.crt) or a directory of files (as in --tls-ca-path /data/certs).

Furthermore, it will support the ability to also parse "certificate bundles" where you might have an entire chain stored together into a single file rather than as multiple files.

On top of that, the operator will also support the option of providing more than one ConfigMap in case you had a use case that requires it (as opposed to including all of the necessary certs in a single ConfigMap).

An example where the ability to provide multiple ConfigMaps could be helpful is if you had a case where you're perhaps using an in-cluster CA for the OpenTelemetry collector, so that's provided as one ConfigMap, and then for your organization's OCI registry you may have a different CA that needs to be loaded, so that could be provided as a second/separate ConfigMap.

It could be considered to mount the configmap without key specification, in which case all files in the configmap will be mounted without further specification required.

I didn't describe it originally in the issue here, but the idea for how we'd likely want to provide the configuration for which ConfigMaps need to be loaded might end up looking something like what the Gateway API does for it's BackendRef resources (see also the BackendRef API definition). So rather than depending on a specific key within the ConfigMap, we'll take an object reference and then iterate over keys of the referenced object.

This has a couple of benefits that I see:

  1. While we may only support ConfigMaps to start, it is possible to extend this to also support Secrets, for example (though there are some implications on that).
  2. While we may only support ConfigMaps from the same namespace as the WasmCloudHostConfig initially, we could in theory, support referencing them cross-namespace.
  3. Assuming we expose this as a repeatable option (i.e. a list of references as in the Gateway API examples), we'll have the ability to support the aforementioned use case of having multiple CA bundles to pull in for different purposes / clients.

@LuukSt
Copy link

LuukSt commented Jul 11, 2024

Thanks for the extensive answer @joonas. This approach seems to have sufficient flexibility in it as far as I can see now.
The support for bundles is indeed useful as we by default use a standard provided CA bundle file that contains multiple full chains.
Furthermore; the support for secrets might also be very useful. I guess this could be the way to for instance serve cert-manager generated cert secrets to applications in the wasmcloud host?

@joonas
Copy link
Member Author

joonas commented Jul 15, 2024

@lxfontes is working on this.

@joonas joonas removed their assignment Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants