Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mTLS: handle multiple CAs #1078

Open
Tracked by #1067
flavio opened this issue Feb 10, 2025 · 1 comment · May be fixed by #1090
Open
Tracked by #1067

mTLS: handle multiple CAs #1078

flavio opened this issue Feb 10, 2025 · 1 comment · May be fixed by #1090
Assignees
@jvanz

Comments

@flavio
Copy link
Member

flavio commented Feb 10, 2025
edited
Loading

There are two clients interacting with the /validate endpoints of Policy Server: the kubernetes API server and audit-scanner. When mTLS is enabled they are going to use client certificates issued by two different CA.

The following changes have to be done:

  • Allow the --client-ca-file to take multiple values by using a comma separator. This must be handled also when reading the contents of the environment variable
  • Extend the inotify code to watch for changes done to all the files mentioned by the --client-ca-file

Talking about the inotify watch code, the code provided as part of #1075 has to be refactored a bit. The current code is not going to scale nicely (in terms of readability) when multiple client CAs are going to be handled.
@flavio flavio mentioned this issue Feb 10, 2025
Open
3 tasks
@flavio flavio changed the title Watch changes done to the client CA file, reload it when needed mTLS: handle multiple CAs Feb 10, 2025
@jvanz jvanz self-assigned this Feb 11, 2025
@jvanz jvanz moved this to In Progress in Kubewarden Feb 11, 2025
@jvanz jvanz mentioned this issue Feb 12, 2025
Merged
@fabriziosestito fabriziosestito mentioned this issue Feb 12, 2025
Merged
@jvanz jvanz linked a pull request Feb 13, 2025 that will close this issue
Open
@jvanz jvanz moved this from In Progress to Pending review in Kubewarden Feb 13, 2025
@flavio flavio moved this from Pending review to In Progress in Kubewarden Feb 14, 2025
@flavio
Copy link
Member Author

flavio commented Feb 14, 2025

Moving back to in progress, we need to fix an integration test failing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvanz jvanz

Labels
None yet
Projects
Kubewarden
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: multiple client CA. jvanz/policy-server
2 participants
@flavio @jvanz