Obtaining the CA certificate generated by Clabernetes

[jbemmel]

On vanilla containerlab the generated CA files can be found under <clab-folder>/.tls/ca

There seems to be no equivalent location in case of Clabernetes - making it hard to connect to pod nodes securely (for - say - GRPC connections)

Ideally c9s would generate one (1) master CA file, and distribute that to all the pods for use with each node

[carlmontanari]

not something c9s will do. I can always change my mind of course but dont think I would on this.

you can generate certs (or whatever you want of course) yourself and mount it in a configmap and mount it in all your nodes, you can have your clab definition mount those things however you want to the actual NOS container of course, or it can just be a thing on the launcher if thats what you're after.

[carlmontanari]

one caveat: if we need to add a thing to mount secrets to launchers (which may contain the ca/cert magic stuff) I would be open to adding that in the same way we have filesfromconfigmap rn!

[hellt]

to add on top of Carl' message

I guess this question has multiple sides

1 Fetching generated certificates/keys

When c9s runs nodes what happens is that you have a launcher pod per a lab node. The launcher pod runs a standalone containerlab in it.
This means that you would still have <clab-folder>/.tls/ca path with the generated keys, it is just that each launcher pod will have a single cert/key per the node it runs.

This means you can fetch those certificates still, just fetch it from the launcher pods, instead of a folder on a disk, like happens in clab-land.

2 Providing pregenerated secrets to the launcher

It is possible to provide files to the launcher pods by using filesFromConfigMap (or proposed filesFromSecret). So if we would have pregenerated ca.pem and per node certs we could set those in a secret and each key would be a path where the rendered secret value would be written.

that way we can provide pregenerated keys to the nodes (and clab would use them) or provide a ca.pem to have keys generated with a known CA

[jbemmel]

I am working on Netlab integration, Clabernetes using a different root CA for nodes located in different pods makes such integration basically impossible

"The goal of Clabernetes is to scale Containerlab beyond a single node while keeping the user experience you love" implies that there would be a single root CA provided to the user, which they can use to securely connect to each node - regardless of distribution.

[hellt]

then netlab integration will have to wait until someone implements any of the methods outlined here #158 (comment)

[jbemmel]

This could use the Containerlab 'External CA' feature, i.e. generate CA files and put them under

settings:
  certificate-authority:
    cert: rootCACert.pem
    key: rootCAKey.pem

for the topology in each pod