Support adding untrusted root CA certificates (corp certs) #5015
Conversation
Signed-off-by: Zhongcheng Lao <[email protected]>
k8s-ci-robot
added
do-not-merge/invalid-commit-message
|
Hi @laozc. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: laozc The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/L
|
Can one of the admins verify this patch? |
This PR allows users to add root CA certificates in minikube VM. CA certificates in $HOME/.minikube/certs will be populated to system certificate store. Note: This requires a change to minikube ISO so you may need to delete and start a brand new minikube VM. Signed-off-by: Zhongcheng Lao <[email protected]>
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
@minikube-bot OK to test |
laozc
force-pushed
the
populate-ca
branch
2 times, most recently
from
8b58763
to
002956f
Compare
Signed-off-by: Zhongcheng Lao <[email protected]>
|
@laozc Thank you so much for this PR ! this is actually very exciting ! do you mind sharing if you have tested this for yourself? and I am very curious to find out how I could test it myself? is there a way I could simulate a corp environment root CA and first see it fail and then after this PR see it succeed ? |
|
I've verified the PR on both Linux and Windows (Hyper-V) myself. I used the PR against my own CA inside a private network (mynetwork.net), which runs a private Docker image server (docker.mynetwork.net) with TLS enabled.
There operations should not produce any errors like You may use a self-signed root CA, generate a server cert with the root and OpenSSL to verify this PR. |
Signed-off-by: Zhongcheng Lao <[email protected]>
I would love to see an integration tests for this, do you have scipts that I could run to exactly simulate those steps. |
Signed-off-by: Zhongcheng Lao <[email protected]>
|
@minikube-bot OK to test. |
|
Unfortunately except for generating SSL certificates, I don't have the script to launch a image repository with SSL certificate. |
This is great work ! I know many people whose lifes would be happier when this PR gets merged ! very thoughtful ! could you add a tutorial on the cert maybe in the site? btw this needs a rebase. I am excited to see this PR ! |
|
here is an example of tutorials file: |
Signed-off-by: Zhongcheng Lao <[email protected]>
Signed-off-by: Zhongcheng Lao <[email protected]>
|
@laozc This is beautiful work ! it looks good to be merged after the tests pass ! I feel impatient to merge it ! thank you for this ! |
medyagh
changed the title
|
@laozc do you happen to know the exact error messages that minikube crashes on if they don't add the corp certs ? I think it would be nice to add a Solution message to the user and advice them to read this great tutorial you wrote. something to be added here: like this one: https://github.com/kubernetes/minikube/blob/master/pkg/minikube/problem/err_map.go#L97 BTW please feel free to add your name to the tutorial on the site as the author ! you deserve all the credit . |
Let me reproduce it and make another change for a more user-friendly error prompt later.
Thanks. Happy to help. |
This PR allows users to populate Corp Root CA certificates by adding certificates in PEM format to
~/.mininkube/certs.These certificates will be added to system certificate store, which will be trusted by all processes running in the minikube VM.
Closes: #1408