Skip to content

fix: allow self-signed ingress certificates to be trusted#281

Open
ssthom wants to merge 2 commits intomasterfrom
selfSignedIngress
Open

fix: allow self-signed ingress certificates to be trusted#281
ssthom wants to merge 2 commits intomasterfrom
selfSignedIngress

Conversation

@ssthom
Copy link
Collaborator

@ssthom ssthom commented Apr 22, 2021

By adding the NODE_EXTRA_CA_CERTS environment variable we can let razeedash trust self-signed certs which is needed if the ingress for your razeedash-api is self-signed. Otherwise you get the following in WatchKeeper:

{"name":"DelayedSendArray","hostname":"watch-keeper-6fd5996f7f-z4nvr","pid":1,"level":50,"err":{"message":"self signed certificate in certificate chain","name":"Error","stack":"Error: self signed certificate in certificate chain\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)\n    at TLSSocket.emit (events.js:315:20)\n    at TLSSocket._finishInit (_tls_wrap.js:932:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)","code":"SELF_SIGNED_CERT_IN_CHAIN"},"msg":"self signed certificate in certificate chain","time":"2021-04-22T17:31:22.889Z","v":0}

To enable this you just add your certificate to the watch-keeper-secret secret with the key cacerts.pem. If you don't have that key in your secrets WatchKeeper still starts up fine, just no additional certs being accepted

@ssthom ssthom requested a review from adamkingit April 22, 2021 18:50
alewitt2
alewitt2 requested changes May 6, 2021
View reviewed changes
kubernetes/watch-keeper/resource.yaml
Comment on lines +37 to +38
- name: NODE_EXTRA_CA_CERTS
value: /home/node/envs/watch-keeper-secret/cacerts.pem
Copy link
Member

@alewitt2 alewitt2 May 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with this except for the fact that there will be a warning when the file doesnt exist (which will probably be the majority of the time)

docs ref:

A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.

i think we can achieve the same result with an optional env.

Suggested change
- name: NODE_EXTRA_CA_CERTS
value: /home/node/envs/watch-keeper-secret/cacerts.pem
- name: NODE_EXTRA_CA_CERTS
valueFrom:
configMapKeyRef:
name: watch-keeper-config
key: NODE_EXTRA_CA_CERTS
optional: true

which means someone who wants to add extra certs will have to update both the watch-keeper-config with the ca certs path, as well as the watch-keeper-secret with the actual pem file.

Please make the change and test it. thanks.

@stale
Copy link

stale bot commented Jun 9, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jun 9, 2021
@adamkingit adamkingit added the enhancement New feature or request label Jun 9, 2021
@stale stale bot removed the wontfix This will not be worked on label Jun 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alewitt2 alewitt2 alewitt2 requested changes

@adamkingit adamkingit Awaiting requested review from adamkingit

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ssthom @alewitt2 @adamkingit