Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add custom ca certificate support for pongo image #632

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add custom ca certificate support for pongo image #632

wants to merge 1 commit into from

Conversation

tysoekong
Copy link
Collaborator

This allows pongo to add a custom CA into the container image's OS truststore during the build/up.

It allows the user to add e.g. their employer's traffic inspection CA.

It makes these all works, when running behind e.g. Zscaler:

  • Kong outbound requests
  • pip3
  • luarocks
  • git
  • probably everything else

@tysoekong tysoekong requested a review from Tieske October 30, 2024 13:19
@tysoekong
Copy link
Collaborator Author

I've only tested on macOS, should try e.g. WSL2, ubuntu, amzn...

@tysoekong
Copy link
Collaborator Author

Oh it's failing all code coverage also

Tieske
Tieske requested changes Nov 5, 2024
View reviewed changes
README.md
PONGO_CUSTOM_CA_CERT
set this to the absolute path of a custom CA to add to the
container's truststore

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is added in the container build, I think this should go in the help-docs of the pongo build command.

README.md
For example:

```sh
$ PONGO_CUSTOM_CA_CERT="$(pwd)/zscaler-root.crt" pongo up
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a bad example I think, though it would probably work if the container image still needs to be build.
So I think the example should have 2 commands;

  1. the build command including the flag for CA certs
  2. the run command without the flags (to indicate clearly they are in the image)

pongo.sh
msg "custom CA is set: $PONGO_CUSTOM_CA_CERT"
cp "$PONGO_CUSTOM_CA_CERT" "$LOCAL_PATH/custom_ca.crt"
else
echo -n '' > "$LOCAL_PATH/custom_ca.crt"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't we add it in some less visisble location?

@Tieske
Copy link
Member

Tieske commented Nov 5, 2024

@tysoekong wdyt; should the cert be added in the build stage (and become part of the created image), or should it be added while doing a pongo run/shell? (eg. upon container instantiation)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tieske Tieske Tieske requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tysoekong @Tieske