certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver

[johanot]

Motivation for this change

Without this patch, it is not possible to use a self-signed certificate for a remote cfssl server without certmgr rejecting the cert as untrusted.

This patch allows for the user to configure (optionally) a trusted CA-cert as part of any certmgr cert-spec.

See also: cloudflare/certmgr#51

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Fits CONTRIBUTING.md.

---

[johanot]

@GrahamcOfBorg test certmgr.command certmgr.systemd

[GrahamcOfBorg]

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

/nix/store/2ninp236pfz63y0hvxpicbl8lzzjcmii-certmgr-1.6.1-bin

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin
shrinking /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin
checking for references to /build in /nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin...
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
/nix/store/w14lhbmgfn2c0w24l7gjzszd849d458l-certmgr-1.6.1-bin

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: tests.certmgr.command, tests.certmgr.systemd

Partial log (click to expand)

syncing
machine: running command: sync
machine: exit status 0
test script finished in 197.18s
cleaning up
killing machine (pid 600)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/bqpzcjwjs6islx9hmdzzq1b99df7ga40-vm-test-run-certmgr-command
/nix/store/vwys7jlxylhbl5dc1grgm9lvxzcwkgdh-vm-test-run-certmgr-systemd

[GrahamcOfBorg]

Failure on aarch64-linux (full log)

Attempted: tests.certmgr.command, tests.certmgr.systemd

Partial log (click to expand)

machine: running command: systemctl --no-pager show "nginx.service"
machine: exit status 0
error: unit ‘nginx.service’ reached state ‘failed’
unit ‘nginx.service’ reached state ‘failed’
cleaning up
killing machine (pid 631)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
builder for '/nix/store/viz555bk4g0dkdmwhyy0dgnni9vwsg03-vm-test-run-certmgr-systemd.drv' failed with exit code 255
error: build of '/nix/store/viz555bk4g0dkdmwhyy0dgnni9vwsg03-vm-test-run-certmgr-systemd.drv' failed

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin
shrinking /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin
checking for references to /build in /nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin...
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
/nix/store/knrhrnmbkxz5mmm77y3yjwb10x5kldzi-certmgr-1.6.1-bin

[GrahamcOfBorg]

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin
shrinking /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin
checking for references to /build in /nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin...
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
/nix/store/32kzz1a2shz8n6bj9kbm99cl2qn01vdw-certmgr-1.6.1-bin

[srhb]

While I realize that it's an unfortunate situation that this isn't merged yet, since the revamped k8s module depends on it, I think we should have at least some indication that upstream is going to actually be merging this, and not just a fetchpatch from an open PR, before we include it under the "certmgr" name and not a clearly forked version.

[GrahamcOfBorg]

Success on aarch64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin
shrinking /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin
checking for references to /build in /nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin...
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
/nix/store/4n2717nk1pfxfk267g80g2xwsqwba5qn-certmgr-1.6.1-bin

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: certmgr

Partial log (click to expand)

installing
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin
shrinking /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin/bin/certmgr
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin/bin
patching script interpreter paths in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin
checking for references to /build in /nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin...
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
/nix/store/fpzm2z102jls8cvfz1ammyill6qsg2kr-certmgr-1.6.1-bin

[vielmetti]

I opened cloudflare/certmgr#53 to attempt to make it more clear whether certmgr will support self-signed certs.

[vielmetti]

I'll also drop in a reference to Jetstack's cert manager which would appear to support the self-signed certs, based on cert-manager/cert-manager#84 and cert-manager/cert-manager#637 -- assuming that the broader requirements could potentially be met by that effort as well.

[fpletz]

To get the kubernetes refactor merged for 19.03, I've added a separate attribute for the certmgr package with the patch and added a package option to the certmgr service. Also I've rebased on top of current master.