add windows support for root CA cert stores #84
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rosskirkpat
requested review from
brandond,
phillipsj,
luthermonson,
thedadams and
Oats87
phillipsj
approved these changes
May 4, 2022
thedadams
suggested changes
May 5, 2022
brandond
requested changes
May 5, 2022
luthermonson
approved these changes
May 5, 2022
|
@snasovich If @Oats87 is not able to review this by EOD today as he is out of office, can I get your approval to merge once I have another round of approvals from @brandond and @thedadams ? |
brandond
reviewed
May 5, 2022
thedadams
suggested changes
May 5, 2022
Comment on lines
+20
to
+22
| if caCertPool == nil { | ||
| return nil, fmt.Errorf("[GetSystemCertPoolWindows] x509 returned a nil certpool for probe (%s)", probeName) | ||
| } |
There was a problem hiding this comment.
I think this can be removed.
There was a problem hiding this comment.
I added the nil check inside each of the functions for linux/windows as it allows the function to fail faster for Windows and avoid a situation where a nil pointer causes a failure before we could check it in the main prober.go. Waiting to check until after the caCertPool is returned could result in a nil pointer being returned when we try to append the certs from the syscall to the caCertPool.
brandond
requested changes
May 5, 2022
brandond
approved these changes
May 5, 2022
thedadams
approved these changes
May 5, 2022
This was referenced Nov 29, 2022
tmacam
added a commit
to tmacam/dapr-components-contrib
that referenced
this pull request
Nov 30, 2022
Tests in vault_test.go had the following :
```go
// This call will throw an error on Windows systems because of the of
// the call x509.SystemCertPool() because system root pool is not
// available on Windows so ignore the error for when the tests are run
// on the Windows platform during CI
_ = target.Init(m)
```
As of Go 1.18 this is not the case for Windows anymore and
we can instead enforce error checking. References:
* golang/go#16736
* golang/go#18609
* rancher/system-agent#84
* jaegertracing/jaeger#2756
Given Dapr depends on Go 1.19, we can enforce tests on `Init` result
and remove this comment.
While enforcing error checking we notice that the code above was
actually hiding errors in the test setup. Component initialization was
ending prematurely due to those errors and the test code was wrongfully
testing for the behavior of a component that has not been successfully
initialized. This is also addressed in this PR.
Closes dapr#2330.
Signed-off-by: Tiago Alves Macambira <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Move the get/create of a root CA cert store into OS dependent functions
Fixes #83
Unblocks rancher/windows#161
Occurred changes and/or fixed issues
Windows does not support x509.SystemCertPool() in <go1.18. This PR implements a workaround to load the System Cert Store on Windows nodes.
Technical notes summary
This is adapted from the following workaround: golang/go#16736 (comment)
Error seen on Windows machines:
Message : error loading system cert pool for probe (kubelet): crypto/x509: system root pool is not available on WindowsSince <go1.18 on Windows cannot load the root CA cert store, this PR leverages syscalls to load the certificate context from the Root CA cert store and then create a new x509 cert pool that contains the Root CAs. This will likely cause a performance drop on Windows as each probe that requires a CACert will need to build it's own x509 cert pool with the root CAs.
Once system-agent is upgraded to go1.18+ the differing code paths should no longer be required.
Areas or cases that should be tested
This PR cannot be tested before it is merged as far as I am aware.
Areas which could experience regressions
These changes should only impact system agent functionality on Windows. The existing functionality for linux hosts has been shuffled into a new function but the underlying code is still the same. For windows, given that loading the CA certs from the root store is currently broken I do not see any potential for regression.
Screenshot/Video
N/A