containerlab icon indicating copy to clipboard operation
containerlab copied to clipboard
verified publisher icon srl-labs

allow to specify path to a root-ca file

Open hellt opened this issue 4 years ago • 1 comments

In #338 the certificate management for srl kind has been reworked as explained here https://containerlab.srlinux.dev/manual/kinds/srl/#tls

Although it is now possible to specify an existing root-ca file that will be used by containerlab to generate the node certs, it is not possible to specify a path to that file that is outside of the lab dir.

This is particularly painful, when users want to create labs where some nodes should use the same root-ca as was used to generate srl certs. Consider the following example:

    telegraf:
      kind: linux
      image: telegraf
      binds:
         - ~/root-ca.pem:/etc/telegraf/ca.crt:ro

Here, to make srl nodes to use the root-ca that was referenced in the telegraf node definition we would need to first copy that file to the Lab directory under $labDir/ca/root-ca.pem. That is not convenient, as it imposes an extra step that we might automate.

The question is how to specify the path to the root-ca.pem that we would like to use in the lab?

I see the following options.

Opt 1: Labels

We can reuse docker labels to set a special label that will point to a path of the cert file

topology:
  defaults:
    labels:
      CLAB_ROOT_CA: ~/root-ca.pem

Containerlab then would take this file and copy it over to the lab directory before the nodes start

With such we don't introduce any more configuration keys, reusing labels. Also conveying information about which root-ca was used in docker labels, so clients can query this by running inspect

Opt 2: New certs element

Another approach I have in mind is to use the new configuration blob on the main clab file level.

name: lab
certs:
  root-ca: ~/root-ca.pem
  # potentially more elements under certs will be possible to add along the way

The logic would still be the same: copy the file referenced under .certs.root-ca to the $labDir/ca/root-ca.pem

I wonder what others think?

/cc @karimra @steiler @jbemmel

hellt avatar Apr 20 '21 08:04 hellt

I would prefer a new top level construct, "pki:" perhaps. Default should be to generate a new root CA for the lab, the user may specify a specific one to use (any absolute or relative path or URI) and containerlab should create a symlink (if on local file system) or fetch ( if a http:// URL for example )

To resolve the path to the local CA file, we could use config variables:

telegraf:
      kind: linux
      image: telegraf
      binds:
         - ${pki.root_ca}:/etc/telegraf/ca.crt:ro

jbemmel avatar Apr 20 '21 17:04 jbemmel