As a developer, I can use a custom CA cert to verify SSL connections during builds #170
Comments
|
@sclevine even if we don't prioritize fixing this in the general case (because of the problems with stack portability), we should probably handle the specific case of providing a custom ca for connections to a registry. I imagine we could configure that through ggcr and avoid updating the trust store for the entire container. |
|
This is something that would be useful in my work - I work on a product that enterprise customers install and require their own random certs to be injected into the container. One thing I thought of here was to "pre-prepare" a stack based on the generic stack. If I "detected" that I needed to inject files, I would simply to do so before actually calling pack/lifecycle, and then use the resulting image within the build process. I don't like that since it requires keeping track of an intermediate stack outside of the general tooling, but it could be useful if this isn't built into pack/lifecycle. Semi-related was #169, which thankfully is implemented :) |
natalieparellano
added
status/discussion-needed
|
Potentially related to #159 |
|
Hey this is blocking my company's exploration of this technology due to our internal security policies and their expressions as crypto-cracking countermeasures at the edge. Since this is a non-negotiable thing for us, we are unable to proceed much further without this capability. How can we work to resolve this, knowing fully that we're willing to help test this in a corporate environment where Man-In-The-Middle proxies exist in force? Anything we can do to help would be awesome. |
|
An API for this issue is being discussed in buildpacks/rfcs#69 |
|
There's been recent movement on this (conversation in slack) - either to implement it as an experimental flag in pack, or to allow it via a new rfc for
|
jromero
added
type/research
|
Following @dfreilich's update, the alignment during working group was to take the following steps:
|
|
Did a bit of research on this recently. I've cataloged a few solutions on a separate repo. The lowest hanging solution with reasonable results would be the support the Read/Write volumes to enable mounting the docker VM certs. It would be analogous to the following command: docker run \
--volume="/etc/ssl/certs:/etc/ssl/certs:ro" \
--volume="/usr/share/ca-certificates/:/usr/share/ca-certificates/:ro" \
-it --rm \
gcr.io/paketo-buildpacks/builder:base \
/bin/bash |
|
Love it! |
|
@dfreilich I'd like this left open until I've got a snapshot to test it with. |
|
Any update on this? I've tried mounting the certificate volume but I'm still getting SSL errors when running behind a corporate proxy. Don't we also need to run |
|
@noamichael I can help troubleshoot a little if you want to open a separate issue or reach out via slack. FWIW, Here's a draft post that has a little more detail. It will likely be moved to buildpacks.io until a more permanent solution is available (such as stack buildpacks). |
|
The Paketo buildpacks team have found a buildpack acceptable solution for this. You can find it here. We recommend other providers to do something similar. Once stack buildpacks are available additional options for implementation would be available. That said at this point in time this issue has been satisfied. |
|
This combined with the #169 make it perfect for the use case where in order to improve build speed, additionally to the image caching, you can proxy with I've just tested it and works like a charm. Keep Rocking! |
Important for enterprise/corporate users with transparent mitm proxies
When I run
pack build --cert /path/to/cert1.pem--cert /path/to/cert2.pem`And A process in the container reaches out to website using TLS that requires cert1.pem and cert2.pem CA certificates to validate
Then The connection succeeds
Notes
/etc/ssl/certsupdate-ca-certificatesThe text was updated successfully, but these errors were encountered: