User passed CA certificates should not be appended to the System CAs

[scholzj]

If I read the code in

strimzi-canary/internal/security/security.go

Line 33 in 3e21f06

if !tlsConfig.RootCAs.AppendCertsFromPEM(caCert) {

correctly, it tries to append the user provided CAs to the system certificates. I think this is wrong - if user passes own CA certificates, it should be used exclusively and not mixed with some system certificates.

[ppatierno]

What's the reason you think it's wrong? Do you see any drawback? At the beginning we thought this way then discussing with @k-wall we thought that there is no good reason for adding and not exclusive CA provided cert. Open to listen your reasons.

[scholzj]

It is IMO wrong because you trust way more CAs then the user requested, so IMHO it is a security issue. If the user tells the canary to trust a specific CA, it should not trust his CA and many other CAs. You can use that for example to trick the canary to connect to a different server with completely different CA for example. If this was not under development but released I would say it is a CVE.

If nothing else, there should be an option to not do this. But at least personally, I also haven't seen any other application do this - so it would be also unexpected for the users at least in the Kafka land. So I think it should not do this at all.

Also - leaving the appending aside - even the use of the system certs by default contradicts the documentation in the README.md which says that the default is empty which is not true if it defaults to the system certs. I think this part is fine and useful and mirrors for example the Java behaviour, but should be covered correctly in the docs.

[ppatierno]

@scholzj I think what you said makes sense. While discussing, I opened #81 for fixing the doc describing the current behaviour.