Support (m)TLS API Socket #24601
Support (m)TLS API Socket #24601
Conversation
…terial for TCP remotes Signed-off-by: Andrew Melnick <[email protected]>
openshift-ci
bot
added
do-not-merge/work-in-progress
github-actions
bot
added
the
kind/api-change
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: meln5674 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
I don’t think we ever looked into this. Largely because without certificate
authentication - which is hard to do - TLS doesn’t add much. Other people
not being any to read the traffic didn’t matter if we are exposing
passwordless root over the network.
…On Tue, Nov 19, 2024 at 10:14 Paul Holzinger ***@***.***> wrote:
@jwhonce <https://github.com/jwhonce> @baude <https://github.com/baude>
@mheon <https://github.com/mheon> FYI. Had you ever looked at TLS support
for the podman service and remote client?
With the amount of code here this looks easy enough to accept to me but I
was wondering if there is/was any reason why we do not support it.
—
Reply to this email directly, view it on GitHub
<#24601 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3AOCFVIQJ3XD2SIG42VKL2BNIT5AVCNFSM6AAAAABSA2GWC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBVHE4TGNBQGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Just skimmed, but LGTM on approach. A lot less code than I was expecting for certificate auth. Now, if we have to start providing docs for how to do certificate auth right, I think the amount of changes grows substantially, but I don't think it's really worth it at this point. |
|
Sending the directory location of the private key out over the wire doesn't give me the warm fuzzies. Is it something that other software does? |
That certainly wasn't my intent, but I'm not sure what you're referring to. Is that a consequence of adding it to the conf file that I'm unaware of? |
It is not being send anywhere, both the client and server read the files locally and then use the certificates to perform a normal TLS handshake via the go std lib AFAICT.
@jwhonce I am not sure what are you referring to? The question for me was if there was a specific reason why TLS support was not done before. If not then I think we should accept this PR |
| "os" | ||
| ) | ||
|
|
||
| func ReadCertBundle(path string) (*x509.CertPool, error) { |
There was a problem hiding this comment.
can you mope this in a new separate package, maybe call it cert and then name the function ReadBundle()
We should really move away from dumping everything into util packages as this causes a lot of unwanted side effects via other imports that really should not have to be imported on the remote client, i.e. #23818. Fixing that will be quite some work but in the meantime we should not add new things there that are needed by the remote client.
| if len(tlsCAFile) != 0 || len(tlsCertFile) != 0 || len(tlsKeyFile) != 0 { | ||
| logrus.Debugf("using TLS cert=%s key=%s ca=%s", tlsCertFile, tlsKeyFile, tlsCAFile) | ||
| transport.TLSClientConfig = &tls.Config{} | ||
| connection.tls = true | ||
| } | ||
| if len(tlsCAFile) != 0 { | ||
| pool, err := util.ReadCertBundle(tlsCAFile) | ||
| if err != nil { | ||
| return connection, fmt.Errorf("unable to read CA bundle: %w", err) | ||
| } | ||
| transport.TLSClientConfig.RootCAs = pool | ||
| } | ||
| if len(tlsCertFile) != 0 && len(tlsKeyFile) != 0 { |
There was a problem hiding this comment.
The condition here do not seem to line up perfectly.
If only tlsCertFile is set then the first condition matches and says tls is used but then we never add the the key on the last one. That case should return a hard error I would assume.
| if cmd.Flags().Changed("tls-cert") { | ||
| return errors.New("--tls-cert option not supported for ssh scheme") | ||
| } | ||
| if cmd.Flags().Changed("tls-key") { | ||
| return errors.New("--tls-key option not supported for ssh scheme") | ||
| } | ||
| if cmd.Flags().Changed("tls-ca") { | ||
| return errors.New("--tls-ca option not supported for ssh scheme") | ||
| } | ||
| return ssh.Create(entities, sshMode) | ||
| case "unix": | ||
| if cmd.Flags().Changed("identity") { | ||
| return errors.New("--identity option not supported for unix scheme") | ||
| } | ||
| if cmd.Flags().Changed("tls-cert") { | ||
| return errors.New("--tls-cert option not supported for unix scheme") | ||
| } | ||
| if cmd.Flags().Changed("tls-key") { | ||
| return errors.New("--tls-key option not supported for unix scheme") | ||
| } | ||
| if cmd.Flags().Changed("tls-ca") { | ||
| return errors.New("--tls-ca option not supported for unix scheme") | ||
| } |
There was a problem hiding this comment.
This duplicates the same conditions. Move them outside the switch case and match if scheme != tcp so you do not duplicate that
Add flags
--tls-cert,--tls-key,--tls-ca/--tls-client-cato the commandspodman remote,podman system service, andpodman system connection addto support serving the API socket using TLS and mTLS, as well as connecting to such a socket.This relies on containers/common#2249 and will fail CI until merged.
Fixes #24583
Does this PR introduce a user-facing change?