Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for additional certificates in the generated pongo test image #453

Open
tomereli opened this issue Oct 24, 2023 · 11 comments
Open

Comments

@tomereli
Copy link

At PayPal, we have corporate proxies for which IT pre-installs the self-signed certificates in all laptops and working stations.
pongo run fails due to this - with SSL: CERTIFICATE_VERIFY_FAILED - self signed certificate in chain.

To fix this, need to add ce-certificates to the RUN apt install line in the Dockerfile, copy the self-signed certificates to the image, run update-ca-certificates and add ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to the Dockerfile.

Need to add support to inject the certificates to the CLI - perhaps this should be in the kong base image even, I'll let the Kong team decide.

@Tieske
Copy link
Member

Tieske commented Oct 24, 2023

why would the REQUESTS_CA_BUNDLE env var be required? isn't that Python specific?

@tomereli
Copy link
Author

It is Python specific, from my experience each app might behave differently when it comes to certificates, and since Pongo is using httpie which is written in Python, it is required, as Python doesn't use the system certificates by default - it requires explicitly adding them. This can be done using the REQUESTS_CA_BUNDLE env var, or with the certifi module as mentioned in https://github.com/python/cpython/blob/e05a703848473b0365886dcc593cbddc46609f29/Mac/BuildScript/resources/ReadMe.rtf#L22-L34

Note - this might only be required for mac - see https://github.com/python/cpython/blob/e05a703848473b0365886dcc593cbddc46609f29/Mac/BuildScript/build-installer.py#L239-L246

@Tieske
Copy link
Member

Tieske commented Oct 25, 2023

yes, httpie would use it.

@Tieske
Copy link
Member

Tieske commented Oct 25, 2023

so could we add the certs to ./.pongo/ca-certs/, and then adapt the dockerfile to copy them in and do the cert dance as described.

@Tieske
Copy link
Member

Tieske commented Oct 25, 2023

hmmm... maybe not. The ./.pongo/ folder is plugin specific, but the generated image is system wide.

So we'd need to add a system-pongo directory for config options.

@tomereli
Copy link
Author

As Pongo Dockerimage extends Kong - I assume the same will be needed in other images, in which case don't you think adding the ca-certs in the kong base-image and propagating them as user supplied argument or some other means from every derived tool is better?

@tomereli
Copy link
Author

tomereli commented Oct 25, 2023

hmmm... maybe not. The ./.pongo/ folder is plugin specific, but the generated image is system wide.

So we'd need to add a system-pongo directory for config options.

Does that mean you will add the certificates into the pongo repository instead of letting users pass them as env vars / command line arguments?

I think something like pongo run --ca-certs ~/my_certs will cover all usecases and keep it generic.

@Tieske
Copy link
Member

Tieske commented Oct 25, 2023

But then it might be better to generate a custom Kong image (not a Pongo responsibility), and pass that in as $KONG_IMAGE.

Though #454 indicates that it might have issues...

@tomereli
Copy link
Author

But then it might be better to generate a custom Kong image (not a Pongo responsibility), and pass that in as $KONG_IMAGE.

Though #454 indicates that it might have issues...

Sounds legit. #454 would need to be addressed first though.

@Tieske
Copy link
Member

Tieske commented Dec 13, 2023

@tomereli have you considered using the PONGO_DOCKER_FILE environment variable? see pongo build --help.

@Tieske
Copy link
Member

Tieske commented Jan 26, 2024

@tomereli here's a different approach: #509

  • httpie becomes optional
  • curl disables verification during the build

could this work for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants