Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow self-signed ingress certificates to be trusted #281

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: allow self-signed ingress certificates to be trusted #281

wants to merge 2 commits into from

Conversation

ssthom
Copy link
Collaborator

@ssthom ssthom commented Apr 22, 2021

By adding the NODE_EXTRA_CA_CERTS environment variable we can let razeedash trust self-signed certs which is needed if the ingress for your razeedash-api is self-signed. Otherwise you get the following in WatchKeeper:

{"name":"DelayedSendArray","hostname":"watch-keeper-6fd5996f7f-z4nvr","pid":1,"level":50,"err":{"message":"self signed certificate in certificate chain","name":"Error","stack":"Error: self signed certificate in certificate chain\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)\n    at TLSSocket.emit (events.js:315:20)\n    at TLSSocket._finishInit (_tls_wrap.js:932:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)","code":"SELF_SIGNED_CERT_IN_CHAIN"},"msg":"self signed certificate in certificate chain","time":"2021-04-22T17:31:22.889Z","v":0}

To enable this you just add your certificate to the watch-keeper-secret secret with the key cacerts.pem. If you don't have that key in your secrets WatchKeeper still starts up fine, just no additional certs being accepted

@ssthom ssthom requested a review from adamkingit April 22, 2021 18:50
alewitt2
alewitt2 requested changes May 6, 2021
View reviewed changes
kubernetes/watch-keeper/resource.yaml
Comment on lines +37 to +38
- name: NODE_EXTRA_CA_CERTS
value: /home/node/envs/watch-keeper-secret/cacerts.pem
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with this except for the fact that there will be a warning when the file doesnt exist (which will probably be the majority of the time)

docs ref:

A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.

i think we can achieve the same result with an optional env.

Suggested change
- name: NODE_EXTRA_CA_CERTS
value: /home/node/envs/watch-keeper-secret/cacerts.pem
- name: NODE_EXTRA_CA_CERTS
valueFrom:
configMapKeyRef:
name: watch-keeper-config
key: NODE_EXTRA_CA_CERTS
optional: true

which means someone who wants to add extra certs will have to update both the watch-keeper-config with the ca certs path, as well as the watch-keeper-secret with the actual pem file.

Please make the change and test it. thanks.

@stale
Copy link

stale bot commented Jun 9, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jun 9, 2021
@adamkingit adamkingit added the enhancement New feature or request label Jun 9, 2021
@stale stale bot removed the wontfix This will not be worked on label Jun 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alewitt2 alewitt2 alewitt2 requested changes

@adamkingit adamkingit Awaiting requested review from adamkingit

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ssthom @alewitt2 @adamkingit