Investigate if we can get rid of the dependency on openssl and use rustls instead

[soenkeliebau]

Currently the agent relies on system provided openssl libraries for all TLS concerns.

We could potentially switch to using rustls [1] which would remove our dependency on ssl system libraries (we still have the systemd library, so would not be totally free - but every little bit helps.

Mostly I think this is necessary via the kube and kubelet dependencies, both of which in theory would support this.

https://github.com/clux/kube-rs#rustls https://github.com/deislabs/krustlet/blob/main/docs/community/developers.md#building-without-openssl

This is something that @djc may be able to help with.

[1] https://github.com/ctz/rustls

[siegfriedweber]

Rustls does not support IP addresses (see ctz/rustls#184).

k3s uses an IP address by default:

$ cat /etc/rancher/k3s/k3s.yaml | grep server
    server: https://127.0.0.1:6443

Our test-dev-cluster uses k3s and fails with the following error when using #204:

Error: ReqwestError: error sending request for url (https://127.0.0.1:6443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests?): error trying to connect: invalid dnsname

There will be some effort to fix this.

Using rustls will decrease the complexity on the dependency side but the complexity will be increased where rustls is not on par with the native TLS library.

[djc]

Yup, rustls currently doesn't support certificates identifying with an IP. This is set to be fixed soon (in the next few months), but remains a downside for now.

[soenkeliebau]

Marking this as blocked due to https://github.com/ctz/rustls/issues/184 for now. We can revisit this it some point in the future.