podcvd: Support trusted TLS for operator on container instances#2819
podcvd: Support trusted TLS for operator on container instances#28190405ysj wants to merge 1 commit into
Conversation
ikicha
left a comment
There was a problem hiding this comment.
Not sure if installing this self signed certifiacte in system root ca and chrome by default is common pattern or okay. Even though we don't install it by default, it becomes just one time consent with new cert, right?
The answer was no from what I probably saw few days ago, I still need to check this once more. |
jemoreira
left a comment
There was a problem hiding this comment.
IIUC this is creating a new local certificate authority and a certificate for all the IPs podcvd might use, configuring chrome to trust that certificate and sharing the certificate with all podcvd containers. Please correct me if I got something wrong.
Is it possible to make all browsers, not just chrome, trust the certificate? I think it should be possible to install a local certificate authority in a way that everything in the local system trusts it, not just chrome. Then it should not be necessary to add the certificate anywhere since it was signed with the trusted CA and therefore trusted as well. Did you try this approach?
That's correct.
Let me check with other browsers on my machines if I can. I've verified only within chrome browser so far. I expect all chromium browser and any other browsers follows |
Accessing operator living in container instances by chrome browser(or any other browsers perhaps) is so annoying, as certification procedure is not prepared so that the browser displays the warning message in advance of accessing the operator. This is even worse experience than operator working with
cvd, as the lifecycle of operator is not permanent, but bound to the container's lifecycle.Context: b/532008913