Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding ability for operator to trust a self-signed certificate #200

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

craigmiller160
Copy link

THE PROBLEM

The 1Password connect operator supports adding a TLS certificate for direct intra-cluster traffic (via its kubernetes service). In many cases, securing intra-cluster traffic with TLS (ie, a no-trust scenario) means assigning a certificate that is either self-signed or signed by an internal organization CA. In both cases, this then means that the 1Password operator needs to be able to trust this certificate.

In its current form, there is no way to configure the 1Password operator to trust a certificate from an unknown authority, which makes a no-trust secure internal network very difficult to construct.

MY SOLUTION

I have added a new optional values.yaml property, operator.tls.trust.secret. It should point to the same secret used to provide tls.crt to the connect application. If a user provides that value, the secret is mounted as a volume in the operator application, and the golang SSL_CERT_FILE environment variable is set. This results in the operator successfully trusting the certificate used by the connector.

TESTING PERFORMED

I have deployed 1Password to my own kubernetes environment with the fork I made to perform this change, and I have validated that everything works end-to-end.

NEXT STEPS

I sincerely hope the 1Password team will review this contribution. Any changes you request I will be happy to perform. Thank you so very much.

Copy link
Contributor

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with gpg:

  1. Generate a GPG key
  2. Add the GPG key to your GitHub account
  3. Configure git to use your GPG key for commit signing
Sign commits with ssh-agent

Follow the steps below to set up commit signing with ssh-agent:

  1. Generate an SSH key and add it to ssh-agent
  2. Add the SSH key to your GitHub account
  3. Configure git to use your SSH key for commit signing
Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.

Learn how to use 1Password to sign your commits.

Watch the demo

@craigmiller160 craigmiller160 force-pushed the feature/operator-trust-cert branch 2 times, most recently from cf43a47 to debcf8f Compare July 18, 2024 01:13
@craigmiller160 craigmiller160 force-pushed the feature/operator-trust-cert branch from 205efd1 to f9d61c6 Compare September 30, 2024 02:08
@craigmiller160
Copy link
Author

Hello. I opened this PR a significant amount of time ago. I just updated it with the latest changes from your main branch. I hope someone can get to reviewing it. Thank you.

@craigmiller160
Copy link
Author

I have signed all commits since the original warning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant