kargo icon indicating copy to clipboard operation
kargo copied to clipboard

Published 20 hours ago verified publisher icon akuity

Add MTLS support

Open obeyler opened this issue 10 months ago • 14 comments

Checklist

  • [x] I've searched the issue queue to verify this is not a duplicate feature request.
  • [x] I've pasted the output of kargo version, if applicable.
  • [x] I've pasted logs, if applicable.

Proposed Feature

On Create Credentials, we should have the opportunity to specify a client certificate ( CRT,KEY, CA) to be able to connect on repository protected by MTLS.

Motivation

In our case both our self hosted Gitlab and Harbor registry (docker image and helm) are protected by MTLS and login/password

Suggested Implementation

obeyler avatar Apr 10 '24 03:04 obeyler

@obeyler even though this doesn't seem like a lot of work, before going too far down this rabbit hole, I am wondering if this problem isn't best addressed with a service mesh.

krancour avatar Apr 10 '24 14:04 krancour

I think in their use case, mTLS is being used a second layer of client authentication to that specific server. So even if the kargo pods were meshed with gitlab/harbor servers, the user still may only give the client certificates to select, trusted clients, and not everything on the mesh.

Does anyone know if it's possible for the client certificates used in mTLS to be dropped into well-known operating system paths (e.g. /etc/ssl/certs) to be picked up by applications like curl, wget, golang's HTTP SDK? Similar to how you can drop in root certificates at the OS level? If this is possible, I wonder if kargo itself could be volumeMounted with the client certs and automatically pick them up without an explicit feature needed to be developed.

jessesuen avatar Apr 10 '24 20:04 jessesuen

I think in their use case, mTLS is being used a second layer of client authentication to that specific server.

Right. But it's the fact of it being a second factor rather than the only factor, that raised for me the possibility that the requirement possibly could be met with a mesh. It's what prompted the request for more details.

I can equally see the possibility that a mesh solves the problem here or that it doesn't.

the user still may only give the client certificates to select, trusted clients, and not everything on the mesh.

It's been a while since I've gone deep on any meshes, but I think routing rules can constrain a service to permitting ingress only from specific services or namespaces rather than simply permitting ingress from any service in the mesh.

Does anyone know if it's possible for the client certificates used in mTLS to be dropped into well-known operating system paths (e.g. /etc/ssl/certs) to be picked up by applications like curl, wget, golang's HTTP SDK? Similar to how you can drop in root certificates at the OS level? If this is possible, I wonder if kargo itself could be volumeMounted with the client certs and automatically pick them up without an explicit feature needed to be developed.

If a mesh doesn't meet the need, this may not either (if it's even possible, that is) because this would be roughly equivalent to using a mesh insofar as all the outbound traffic would use a single client cert as opposed to selecting a specific client cert from a credential/Secret.

krancour avatar Apr 10 '24 21:04 krancour

I think mesh service is a little bit oversized for this and implies a lot of other constraint. I hope that as argocd did it for git or helm repository for might be easy to be inspire image

obeyler avatar Apr 11 '24 07:04 obeyler 

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: kargo-demo-repo
  namespace: kargo-demo
  labels:
    kargo.akuity.io/cred-type: git
stringData:
  repoURL: ${GITOPS_REPO_URL}
  username: ${GITHUB_USERNAME}
  password: ${GITHUB_PAT}
  tlsClientCertData: ##optional value
  tlsClientCertKey ## optional value

can be possible yaml to allow git or an docker registry protected behind a MTLS, ( same as argocd does)

obeyler avatar Apr 11 '24 16:04 obeyler

@obeyler thanks. I don't see this as being a problem. I just wanted to be sure that the notion of a service mesh wasn't being completely overlooked in the event that it was a viable option.

krancour avatar Apr 11 '24 18:04 krancour

+1 to increase priority

raphaelappsolute avatar Apr 30 '24 12:04 raphaelappsolute

+1 same issue here

ManuHeel avatar May 21 '24 08:05 ManuHeel

+1

juleshry avatar May 21 '24 08:05 juleshry

Another +1 interested

m3astwood avatar Jun 03 '24 11:06 m3astwood

+1

timbtimbtimb avatar Jun 04 '24 12:06 timbtimbtimb

It is clear to us that this is a popular feature request and we are factoring that into our planning. To spare the team from some noise, further +1s aren't going to move the needle any more than it's already been moved.

krancour avatar Jun 04 '24 14:06 krancour

Hi, I'm feel sad to see that this issue is now on low priority even if it's looks popular. If we plan to propose a PR to solve it can we expect to be merged ?

obeyler avatar Sep 05 '24 17:09 obeyler

@obeyler priorities are relative things. Right now, we've basically moved anything to low if it's something we plan to do post-GA.

Contributions are always welcome and do tend to accelerate things, but do always require review, of course, which can still be time consuming. I cannot make a guarantee that maintainers will be able to prioritize reviewing this feature pre-GA any more than we could prioritize working on it.

Again, with all things being relative, if the feature is thorough, documented, and implemented well, it is faster to get such a thing merged than if maintainers have to invest a lot of time advocating for revisions. tl;dr the answer to "can we expect to be merged" depends entirely on what the contributor puts into it.

krancour avatar Sep 06 '24 14:09 krancour