Condukt.Sandbox.NetworkPolicy.CA (Condukt v1.5.0)

Copy Markdown View Source

Per-session ephemeral Certificate Authority used by the egress sidecar for TLS interception.

A CA is a self-signed root that the egress sidecar uses to mint per-host leaf certificates on the fly when intercepting TLS connections. The workspace image must trust this CA at session start for the handshake to succeed; if it does not, the request fails with a tls_handshake_failed event.

Lifecycle

One CA is generated per session at pod creation:

{:ok, ca} = Condukt.Sandbox.NetworkPolicy.CA.generate(common_name: "session-abc")
ca.cert_pem  # mounted as a K8s Secret to the sidecar
ca.key_pem   # mounted as a K8s Secret to the sidecar
ca.cert_pem  # also mounted (read-only) to the workspace at /etc/condukt/ca.pem

When the session ends, the K8s Secret is deleted along with the pod, so the CA's blast radius is bounded by the session.

Cryptographic choices

Defaults are:

  • Elliptic curve P-256 (prime256v1). Faster than RSA, broadly supported, and the standard for short-lived certs.
  • Validity period: 24 hours, with a 1 hour pre-skew to absorb pod-vs-host clock drift.
  • Common name: a caller-supplied string, typically the session id.

Custom defaults can be overridden via opts but the defaults match what the Kubernetes sandbox sets at session start.

Summary

Functions

generate(opts)

Generates a fresh per-session CA.

trust_bundle(ca)

Returns a PEM-encoded CA bundle suitable for mounting at /etc/ssl/certs/ca-certificates.crt and /etc/ssl/cert.pem on the workspace container.

Functions

generate(opts)

Generates a fresh per-session CA.

Options:

  • :common_name — string put in the Subject CN. Required.
  • :validity_hours — total validity in hours, default 24.
  • :skew_hours — pre-skew applied to NotBefore (and post-skew on NotAfter) in hours, default 1. Absorbs clock drift between Condukt's host and the K8s pod.
  • :organization — Subject Organization, default "Condukt".

trust_bundle(ca)

Returns a PEM-encoded CA bundle suitable for mounting at /etc/ssl/certs/ca-certificates.crt and /etc/ssl/cert.pem on the workspace container.

The bundle is the Mozilla / curl.se public root list (shipped under priv/ca-certificates/mozilla.pem) with the per-session CA appended. Any tool that reads the well-known bundle paths or honours SSL_CERT_FILE ends up trusting both the public Internet and the egress sidecar's leaf certs without the workspace image needing any preparation.