Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add custom ca certificate support for pongo image #632

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add custom ca certificate support for pongo image #632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ Environment variables:
KONG_LICENSE_DATA
set this variable with the Kong Enterprise license data

PONGO_CUSTOM_CA_CERT
set this to the absolute path of a custom CA to add to the
container's truststore

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is added in the container build, I think this should go in the help-docs of the pongo build command.

POSTGRES the version of the Postgres dependency to use (default 9.5)
CASSANDRA the version of the Cassandra dependency to use (default 3.11)
REDIS the version of the Redis dependency to use (default 6.2.6)
Expand Down Expand Up @@ -465,6 +469,19 @@ Some helpfull examples:

[Back to ToC](#table-of-contents)

## Custom CA

If you are running pongo e.g. behind a corporate traffic-inspector, and that normally requires you to add
a custom CA certificate into the operating system or container truststore, use the following flag:

`PONGO_CUSTOM_CA_CERT=/path/to/custom/ca.crt`

For example:

```sh
$ PONGO_CUSTOM_CA_CERT="$(pwd)/zscaler-root.crt" pongo up
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a bad example I think, though it would probably work if the container image still needs to be build.
So I think the example should have 2 commands;

  1. the build command including the flag for CA certs
  2. the run command without the flags (to indicate clearly they are in the image)

```

## Debugging

This section is about debugging plugin code. If you have trouble with the Pongo
Expand Down
12 changes: 12 additions & 0 deletions assets/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,17 @@ COPY assets/pongo_profile.sh /etc/profile.d/pongo_profile.sh
COPY assets/install-python.sh /pongo/install-python.sh

USER root

# add custom CA cert in case of corporate proxy - this is a hack that ignores if the file is missing
COPY custom_ca.crt /usr/local/share/ca-certificates/custom_ca.crt
RUN <<EOF
if [ -s /usr/local/share/ca-certificates/custom_ca.crt ]; then
update-ca-certificates;
else
rm -f /usr/local/share/ca-certificates/custom_ca.crt;
fi
EOF

# httpie and jq are genric utilities usable from the shell action.
# LuaRocks needs (un)zip to (un)pack rocks, and dev essentials to build.
# Setup the development dependencies using the make target
Expand Down Expand Up @@ -56,6 +67,7 @@ RUN if [ -n "$PONGO_INSECURE" ] || [ "$PONGO_INSECURE" != "false" ]; then \
git config --global http.sslVerify false; \
fi


RUN /pongo/install-python.sh
RUN pip3 install httpie || echo -e "\n\n\nFailed installing httpie, continuing without.\n\n\n"
RUN curl -s -S -L https://github.com/fullstorydev/grpcurl/releases/download/v1.7.0/grpcurl_1.7.0_linux_x86_64.tar.gz | tar xz -C /kong/bin
Expand Down
4 changes: 4 additions & 0 deletions assets/help/pongo.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@ Environment variables:
KONG_LICENSE_DATA
set this variable with the Kong Enterprise license data

PONGO_CUSTOM_CA_CERT
set this to the absolute path of a custom CA to add to the
container's truststore

POSTGRES_IMAGE the Postgres image to use (default postgres:9.5)
CASSANDRA_IMAGE the Cassandra image to use (default cassandra:3.11)
REDIS_IMAGE the Redis dependency to use (default redis:6.2.6-alpine)
Expand Down
10 changes: 9 additions & 1 deletion pongo.sh
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -758,6 +758,14 @@ function build_image {
fi

msg "starting build of image '$KONG_TEST_IMAGE'"

if [ -n "$PONGO_CUSTOM_CA_CERT" ]; then
msg "custom CA is set: $PONGO_CUSTOM_CA_CERT"
cp "$PONGO_CUSTOM_CA_CERT" "$LOCAL_PATH/custom_ca.crt"
else
echo -n '' > "$LOCAL_PATH/custom_ca.crt"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't we add it in some less visisble location?

fi

$WINPTY_PREFIX docker build \
-f "$DOCKER_FILE" \
--build-arg PONGO_VERSION="$PONGO_VERSION" \
Expand All @@ -769,7 +777,7 @@ function build_image {
--build-arg KONG_BASE="$KONG_IMAGE" \
--build-arg KONG_DEV_FILES="./kong-versions/$VERSION/kong" \
--tag "$KONG_TEST_IMAGE" \
"$LOCAL_PATH" || err "Error: failed to build test environment"
"$LOCAL_PATH" || err "Error: failed to build test environment";

msg "image '$KONG_TEST_IMAGE' successfully build"
}
Expand Down
Loading