charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon jfrog

Support multiple certificates in order to achieve a full mesh topology for access federation

Open mikeycmccarthy opened this issue 3 years ago • 4 comments

Is this a request for help?: No

Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST

If this is a FEATURE REQUEST, please:

  • Describe in detail the feature/behavior/change you'd like to see.

This feature request is somewhat related to https://github.com/jfrog/charts/issues/161

We have a number of Artifactory instances, some being Edge nodes, and are looking to establish a circle of trust between them (see https://www.jfrog.com/confluence/display/JFROG/Access+Federation#AccessFederation-EstablishingtheCircleofTrust).

For a full mesh topology, it says:

Consider the scenario where three Access services that should be set up in a Full Mesh topology where each service should be able to synchronize changes to security entities to both other services.

In this case, you need to provide each Access service with the root certificates of both other services so that both are trusted.

I believe to achieve this purely via code it means that the current 'customCertificates' block needs to be able to take a list of certificates rather than just a single one, or the secret referenced by certificateSecretName should be able to have multiple certs inside it.

mikeycmccarthy avatar Feb 14 '22 13:02 mikeycmccarthy

I spoke with JFrog directly around this and it wasn't clear if the intention is for binding tokens to eventually replace this functionality. At the moment they can perform some of the Circle Of Trust functionality but only around federated repositories and not for full access federation.

mikeycmccarthy avatar Feb 15 '22 11:02 mikeycmccarthy

I think I've made a mistake raising this and this is entirely possible - I'll confirm then close up if that's correct.

mikeycmccarthy avatar Feb 15 '22 16:02 mikeycmccarthy

I was right the first time here. While it's easy to add this functionality via a custom initContainer I believe it could be even easier.

Essentially what I need to do is EXACTLY what you do with setting these values:

customCertificates:
  enabled: true
  certificateSecretName: my-secret

The above will put as many certificates as you want into /etc/security/keys/trusted. If you want to do circle of trust then you need to put certificates into /etc/access/keys/trusted (different filepath).

I think it's be nice to see this implemented via something like 'customAccessCertificates'. Just my personal opinion though!

mikeycmccarthy avatar Feb 15 '22 21:02 mikeycmccarthy

This is now covered with circleOfTrustCertificatesSecret. We set multiple entries in that secret, one per root certificate we need.

mikeycmccarthy avatar Jan 20 '23 10:01 mikeycmccarthy