✨ Allow Use of Public CAs

[spjmurray]

As a public cloud operator it strikes me as odd that I have to supply a CA certificate for every cluster that's created. This leads to a bunch of code that has to Dial the endpoint and extract the root CA (rather than hard coding it - ugh!). The whole point of the distroless base container image is to distribute TLS root CAs, so allow the option to use what's already present.

What this PR does / why we need it:

As stated in the commit message.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
None

Special notes for your reviewer:

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• if necessary:
  • includes documentation
  • adds unit tests

/hold

[k8s-ci-robot]

Hi @spjmurray. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	0249663
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/64b65ba7beeece0008e295f4
😎 Deploy Preview	https://deploy-preview-1610--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[spjmurray]

Implementation note: I left the default behaviour as-is, so it doesn't work unless you provide a CA certificate... odd security posture that, if you want to force the use of a CA, have admission control do it.

Anyway, I wouldn't be averse to backing out 90% of the changes, making public CAs the default, and have the end user explicitly override for self-signed infra. Seems like the infinitely more useful way of doing it imo 🤷🏻

[spjmurray]

Ah, I see what I did wrong! Helm defaults injecting an invalid CA. Yeah, I'm going to take the KISS approach; use the system CAs if a cert if not explicitly specified. It's literally 2 lines then. If you want to enforce the specification of an exact CA then I can add some logic into the validating webhook.

[mdbooth]

/ok-to-test

[mdbooth]

https://pkg.go.dev/crypto/tls#Config says:

// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.
RootCAs *x509.CertPool

With this change RootCAs is nil unless cacerts is non-nil. Following cacerts up the chain of callers, it is also nil unless --ca-certs was given on the command line. IOW, I think this behaviour is probably what most folks would have expected it already does.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth, spjmurray

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jichenjc]

/lgtm
/hold cancel