Let it be possible to specify optional CAcert for trust of remote cfssl

[johanot]

If you run cfssl apiserver tls-enabled, it is currently not possible to use self-signed certificate, because certmgr will reject it.

This PR makes it possible to use self-signed certificate on the cfssl apiserver, by providing an optional cert-spec option root_ca.

[johanot]

@cbroglie Don't know if you work with certmgr as well? But since you merged my latest PR on cfssl, perhaps you'd care to review this as well? :) thanks in any case.

[kalbasit]

why panic here? why not simply return nil, err?

[kalbasit]

you should probably return nil, errors.New("failed to parse rootCA certs")

[kalbasit]

Go devs are not fond of if..else blocks, can you change this entire block to:

if err != nil {
  return nil, err
}
rootCaCertPool := x509.NewCertPool() ...

also don't panic :)

[kalbasit]

remove newline on top.

[johanot]

@kalbasit Thanks for the review. Check bfbe3b4 now. Sorry about the poor error handling. The panics were clearly remnants of my debugging and shouldn't have made it to the PR :) embarrassing.

[kalbasit]

@johanot no worries :), it looks great now, hopwfully someone can merge this soon. Today, I will take a look at the k8s pr over on nixpkgs.

[johanot]

@kisom Can I kindly ask for your comment/opinion on this change?

[johanot]

@terinjokes Poking blindly here, but I would be very grateful if you or one of your colleagues could take a look at this PR and tell me whether it makes sense? :) We would like to include certmgr 1.6.1 (with this patch) in the upstream NixOS Kubernetes module.

[johanot]

@kisom @terinjokes Re-ping -> one month after PR creation.

[terinjokes]

For consistency with other checks in this file (eg, AuthKeyFile), we might want to compare against an empty string, rather than a length check.

[johanot]

Thanks @terinjokes.

Fixed in 519f8db .. Will squash if you approve. Any other comments to the functionality in general? It does make sense to implement support for self-signed certs on cfssl-apiserver this way right?

[johanot]

@terinjokes @kisom Is this something you will consider merging at some point, or is it just too far from the the core principals of certmgr? We've discussed in the NixOS kubernetes community whether to fork certmgr to be able to use self-signed certs with cfssl, or to build a new cfssl client; but I genuinely think that would be sad. I very much prefer to hear some sort of opinion from you on this, so that we can decide on whether to stick with upstream certmgr as cfssl client or not. Thanks a lot. :)

[adamtulinius]

@terinjokes @kisom Any updates on this?

[kisom]

@johanot @adamtulinius I'm no longer at Cloudflare and don't have access to this repo anymore :).

[ferringb]

Unless I'm missing something, this code change will result in an empty/zero initialized struct being passed for tlsConfig- rather than nil; does the consuming code make a difference in that regard?

More specifically, I want to confirm that these changes won't break the existing pathway, and tests don't exist so it's hard to evaluate this as a drive by reviewer.

[johanot]

@ferringb You're right. Changed the tlsConfig var to be a pointer instead: aa36ac4 ... nil should be supported by the cfssl client lib. (https://github.com/cloudflare/cfssl/blob/master/api/client/client.go#L138)

[ferringb]

The README.md should be updated w/ documentation for this new feature

[johanot]

@ferringb Is this sufficient docs? 55c595a

[ferringb]

@johanot it is- pardon the delay in follow up.