-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
♻️ add loading of self signed certs to director-v2 and webserver entrypoint.sh #3678
♻️ add loading of self signed certs to director-v2 and webserver entrypoint.sh #3678
Conversation
# In case the service must access a docker registry in a secure way using | ||
# non-standard certificates (e.g. such as self-signed certificates), this call is needed. | ||
# It needs to be executed as root. | ||
update-ca-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: why the web-server needs this? AFAIK it does not access the docker registry directly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the comment was copy pasted sorry, let me adjust it
# In case the service must access a docker registry in a secure way using | ||
# non-standard certificates (e.g. such as self-signed certificates), this call is needed. | ||
# It needs to be executed as root. | ||
update-ca-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question here, the docker registry is accessed via the director right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
adjusted the comment, for the director this was added anticipatory, I at this point dont know if or which outside services the direcot-v2 might need.
But for sure, the director-v2 will eventually have to pass the self-signed cert onwards to the dynamic-sidecars and dy-proxys, so I guess he needs it and it is ok if the director-v2 trusts this self-signed certificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What services is this accessing via https? usually it access stuff inside the docker network where there is no https. Am I missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it is not acessing https services, but why would the director-v2 not trust a certificate it will instruct the dy-sidecars spawned by it to trust? :D maybe I am missing something here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My indirect question was something on the lines of: what issues does this fix?
Thanks please re-review @pcrespov |
Codecov Report
@@ Coverage Diff @@
## master #3678 +/- ##
=========================================
+ Coverage 83.4% 89.0% +5.6%
=========================================
Files 883 338 -545
Lines 37398 17206 -20192
Branches 786 0 -786
=========================================
- Hits 31197 15325 -15872
+ Misses 5992 1881 -4111
+ Partials 209 0 -209
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this point I'm ok with it as well.
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
adds loading of self signed certificates to director-v2 and webserver