Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - feat: openssl partial CA trust anchor #2232

Closed
wants to merge 11 commits into from
Closed

[Merged by Bors] - feat: openssl partial CA trust anchor #2232

wants to merge 11 commits into from

Conversation

pinkforest
Copy link
Contributor

@pinkforest pinkforest commented Mar 2, 2022
edited by wendyOn
Loading

Fixes #2216 by adopting downstream changes from fluvio-future & k8-client

Intermediate CAs are used to compartmentalize issuance and management in certain configurations to improve security.

However managing the full client CA chain in this case would become logistically cumbersome and the industry has moved to generally to accept using the intermediate CAs as the partial "Trust anchor" on the client end e.g. curl or kubectl.

Dependant on

fluvio-future bump to 0.3.14 under:

k8-client bump to 0.5.1 (depends fluvio-future 0.13.14 as well)

@pinkforest pinkforest mentioned this pull request Mar 2, 2022
Closed
@pinkforest pinkforest changed the title [WIP] feat: openssl partial CA trust anchor feat: openssl partial CA trust anchor Mar 2, 2022
@sehz
Copy link
Contributor

sehz commented Mar 2, 2022

Can you link to issue?

@wendyOn wendyOn self-assigned this Mar 7, 2022
@wendyOn wendyOn mentioned this pull request Mar 7, 2022
Closed
@wendyOn wendyOn requested review from sehz, simlay and morenol March 7, 2022 15:57
bors bot pushed a commit to infinyon/future-aio that referenced this pull request Mar 7, 2022
@pinkforest
feat: partial CA trust anchor (#134)
df04a4e 
Closes #135

This proposed feature adds to TlsClient constructor:
- `allow_partial: bool` which toggles OpenSSL [X509VerifyFlags::PARTIAL_CHAIN](https://docs.rs/openssl/latest/openssl/x509/verify/struct.X509VerifyFlags.html#associatedconstant.PARTIAL_CHAIN) - default `true`

### Publish

This PR bumps fluvio-futures to 0.3.14

Enables bump in k8-client:
- infinyon/k8-api#151

Which in turn enables bump in fluvio:
- infinyon/fluvio#2232
bors bot pushed a commit to infinyon/k8-api that referenced this pull request Mar 7, 2022
@pinkforest
chore: bump futures-aio via k8-client (#151)
901a66e 
Related to
infinyon/fluvio#2232

### Dependant on 
fluvio-future bump to 0.3.14 under;
- infinyon/future-aio#134

### Publish

This PR bumps k8-client to 0.5.1

Which in turn enables bump in fluvio:

infinyon/fluvio#2232
sehz
sehz approved these changes Mar 8, 2022
View reviewed changes
Copy link
Contributor

@sehz sehz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sehz
Copy link
Contributor

sehz commented Mar 8, 2022

bors r+

bors bot pushed a commit that referenced this pull request Mar 8, 2022
@pinkforest
feat: openssl partial CA trust anchor (#2232)
fd59c40 
Fixes #2216 by adopting downstream changes from fluvio-future & k8-client

Intermediate CAs are used to compartmentalize issuance and management in certain configurations to improve security.

However managing the full client CA chain in this case would become logistically cumbersome and the industry has moved to generally to accept using the intermediate CAs as the partial "Trust anchor" on the client end e.g. curl or kubectl.

### Dependant on

fluvio-future bump to 0.3.14 under:
- infinyon/future-aio#134

k8-client bump to 0.5.1 (depends fluvio-future 0.13.14 as well)
- infinyon/k8-api#151
@bors
Copy link

bors bot commented Mar 8, 2022

Build failed:

@sehz
Copy link
Contributor

sehz commented Mar 8, 2022

bors r+

bors bot pushed a commit that referenced this pull request Mar 8, 2022
@pinkforest
feat: openssl partial CA trust anchor (#2232)
a8bb0ec 
Fixes #2216 by adopting downstream changes from fluvio-future & k8-client

Intermediate CAs are used to compartmentalize issuance and management in certain configurations to improve security.

However managing the full client CA chain in this case would become logistically cumbersome and the industry has moved to generally to accept using the intermediate CAs as the partial "Trust anchor" on the client end e.g. curl or kubectl.

### Dependant on

fluvio-future bump to 0.3.14 under:
- infinyon/future-aio#134

k8-client bump to 0.5.1 (depends fluvio-future 0.13.14 as well)
- infinyon/k8-api#151
@bors
Copy link

bors bot commented Mar 8, 2022

Pull request successfully merged into master.

Build succeeded:

@bors bors bot changed the title feat: openssl partial CA trust anchor [Merged by Bors] - feat: openssl partial CA trust anchor Mar 8, 2022
@bors bors bot closed this Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sehz sehz sehz approved these changes

@simlay simlay Awaiting requested review from simlay

@morenol morenol Awaiting requested review from morenol

Assignees

@wendyOn wendyOn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Installer: self-signs certs cause installation failure
3 participants
@pinkforest @sehz @wendyOn