[FR] Enable use of "certificate signed by unknown authority" for OpenFaaS gateway

[knafel]

Is your feature request related to a problem? Please describe.
We would like to use the RabbitMQ-Connector on company internal k8s cluster, which uses certificates signed by our company CA. This is not supported by the connector resulting in error accessing the gateway URL:
"Get https://dev.function.our-company-name.com/system/functions: x509: certificate signed by unknown authority"

Describe the solution you'd like

• Add environment bool variable, e.g.: INSECURE_SKIP_VERIFY: true.

• Assuming that in the code this environment variable will be expressed as: insecureSkipVerify, the parameter could be apssed to the RabbitMQ connection or the definition of the HTTP client could be, e.g.:

client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: insecureSkipVerify, }, }, }

Describe alternatives you've considered
Directly configuring RabbitMQ instead of the connector.

Additional context
None.

[Templum]

Hey @knafel sounds like a good and straightforward Idea. However, I need to check it the Controller SDK does support such an behaviour. Sadly I did not implement the communication to open faas myself. I will check it and get back to you, overall your request seems to be a quick win.

[Templum]

@knafel was able to verify that the lib supports the behavior. Will now start implementing it, would you be so kind and test it? I will later share with you the docker image.

After successful validation through you, I would publish it with a new minor version.

[knafel]

@Templum : Great that you are willing to implement this feature ... very much appreciated. I will be able to test starting earliest next Tuesday (currently traveling).
Thanks a lot.

[Templum]

@knafel that's fine. I think I can start working on it on Wednesday.

[knafel]

@Templum : OK ... let me know, when you are ready for testing.

[Templum]

@knafel actually I did find the time to work on it today, could you give this image a try templum/rabbitmq-connector:pr-38. Please look here for information on the default as well as the env name. Let me know if it works for you.

[knafel]

@Templum: Very good! I will try to find time today or tomorrow to test it.

[knafel]

Hi @Templum:
Because of other urgent matters, i started testing the new connector today from home.
A short interim status:
Unfortunately, I run into problem (even with not setting the INSECURE_SKIP_VERIFY to "false" or "true"). The container is repeatedly restarting (CrashLoopBackOff).
The logs are for me not conclusive ... see attachment
container.log
I will check it next week with the colleague, who knows this part better, as he did the original deployment, if our updated configuration may be a source of the issue.
(FYI: due to very specific company requirements on name spaces and resource limits, we modify it significantly. Additionally we were using successfully the connector before with the exchange type "topic" instead of "direct"-- line 87 in queue_consumer_factory.go -- I tried it with this change, but I can temporarily test with your original ("direct") setting.)
If you have any idea, what can be the cause, please let me know, otherwise I will continue next week.
Cheers, A.

[Templum]

Hi @knafel ,

Based on the shared logs. It seems like you did not provide or provide the wrong secret for the communication to open faas. As the last message is usually thrown by the Open FaaS Connector SDK in case the call was performed without the correct Basic Auth Credentials.

By default, OpenFaaS is now deployed with active Basic Auth. Please revisit that part, I will set up an issue to remove the OpenFaaS Connector SDK and rather go with an own implementation.

[knafel]

@Templum : Thanks ... I will check it.

[knafel]

Hi @Templum:

Intermediate status:
You were correct re. the authentication problems. It worked, when I temporary replaced part of your main.go -- see below:
` // if tag == "dev" {

// 	log.Printf("Connector is in local mode will use the debug credentials")

// 	creds = &auth.BasicAuthCredentials{User: "admin", Password: "b43c1de00d8a477d6af007a6516944e3d1b02692a190fe71f68616b678ac959a"}

// } else {

// 	log.Printf("Connector is in productive mode will read credentials from path")

// 	creds = types.GetCredentials()

// }

secretMountPath, exists := os.LookupEnv("secret_mount_path")

if !exists {

	log.Fatalf("Environment variable [secret_mount_path] does not exist")

}

usr, err := ioutil.ReadFile(secretMountPath + "/basic-auth-user")

if err != nil {

	log.Fatalf("OpenFaaS User not readable: %s", err)

}

pwd, err := ioutil.ReadFile(secretMountPath + "/basic-auth-password")

if err != nil {

	log.Fatalf("OpenFaaS Password not readable: %s", err)

}

creds = &auth.BasicAuthCredentials{User: string(usr), Password: string(pwd)}`

It is obviously NOT a solution, and I did not have time to dig, why the SDK types.GetCredentials() did not work in our current cluster setup (K8s Rancher distro with some our company specific namespace structure).
So far seems to work, but next days/weeks we will move our project to a new cluster, then I will continue with further test.

Cheers ...

[Templum]

@knafel I was finally able to finish up the final works on it, further also removed the local hack. Final PR is #47.

Let me know if you can test it.

[Templum]

Merged #47