Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable #1180

Merged
merged 3 commits into from Apr 2, 2020
Merged

Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable #1180

merged 3 commits into from Apr 2, 2020

Conversation

doodlesbykumbi
Copy link
Contributor

@doodlesbykumbi doodlesbykumbi commented Apr 1, 2020
edited

This allows Secretless to proxy connection to servers with self-signed certificates. Appending different RootCAs for each http connector instance requires significantly more work so this value applies in a global sense. SECRETLESS_HTTP_CA_BUNDLE is the file path to the RootCAs that will be appended for use by the http service singleton.

Refactored the tests for the generic http connector. Sample output:

Waiting for Secretless to start
Secretless is up - continuing 

Running tests

=== RUN   TestCreds
=== RUN   TestCreds/proxy_credentials_match_server_credentials
=== RUN   TestCreds/proxy_credentials_don't_match_server_credentials
--- PASS: TestCreds (0.03s)
    --- PASS: TestCreds/proxy_credentials_match_server_credentials (0.02s)
    --- PASS: TestCreds/proxy_credentials_don't_match_server_credentials (0.01s)
=== RUN   TestForceSSL
=== RUN   TestForceSSL/certificate_included_in_proxy_bundle
=== RUN   TestForceSSL/certificate_not_included_proxy_bundle
2020/04/02 13:51:06 http: TLS handshake error from 172.25.0.2:55410: remote error: tls: bad certificate
--- PASS: TestForceSSL (0.06s)
    --- PASS: TestForceSSL/certificate_included_in_proxy_bundle (0.03s)
    --- PASS: TestForceSSL/certificate_not_included_proxy_bundle (0.03s)
PASS
ok  	github.com/cyberark/secretless-broker/test/connector/http/generic	0.098s

@doodlesbykumbi
Add SECRETLESS_HTTP_CA_BUNDLE to append RootCAs for use by http servi…
838ec68 
…ce singleton

This allows Secretless to proxy connection to servers with self-signed certificates. Appending different RootCAs for each http connector instance requires significantly more work so this value applies in a global sense. SECRETLESS_HTTP_CA_BUNDLE is the file path to the RootCAs that will be appended for use by the http service singleton.
@doodlesbykumbi doodlesbykumbi mentioned this pull request Apr 1, 2020
Merged
@doodlesbykumbi doodlesbykumbi force-pushed the poc-http-ca-bundle branch 3 times, most recently from d23ea30 to 520710e Compare April 2, 2020 14:10
sgnn7
sgnn7 reviewed Apr 2, 2020
View reviewed changes
Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@doodlesbykumbi Just a couple of comments

test/connector/http/generic/http_test.go Outdated Show resolved Hide resolved
test/connector/http/generic/test Outdated Show resolved Hide resolved
test/connector/http/generic/certs/server-key-included.pem Show resolved Hide resolved
@doodlesbykumbi doodlesbykumbi force-pushed the poc-http-ca-bundle branch 5 times, most recently from 85dc261 to ec71aac Compare April 2, 2020 14:35
@doodlesbykumbi doodlesbykumbi marked this pull request as ready for review April 2, 2020 14:40
@doodlesbykumbi doodlesbykumbi requested a review from a team as a code owner April 2, 2020 14:40
@doodlesbykumbi doodlesbykumbi changed the title Add SECRETLESS_HTTP_CA_BUNDLE to append RootCAs for use by http service Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable to append RootCAs for use by all http service connectors Apr 2, 2020
@doodlesbykumbi doodlesbykumbi changed the title Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable to append RootCAs for use by all http service connectors Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable to append to RootCAs used for verification by all http service connectors Apr 2, 2020
@doodlesbykumbi doodlesbykumbi changed the title Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable to append to RootCAs used for verification by all http service connectors Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable Apr 2, 2020
@doodlesbykumbi doodlesbykumbi changed the title Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable Introduce SECRETLESS_HTTP_CA_BUNDLE environment variable Apr 2, 2020
sgnn7
sgnn7 approved these changes Apr 2, 2020
View reviewed changes
Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@doodlesbykumbi Nice work! I really like the nixing of NGINX!

@sgnn7 sgnn7 merged commit 10cca05 into master Apr 2, 2020
@sgnn7 sgnn7 deleted the poc-http-ca-bundle branch April 2, 2020 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgnn7 sgnn7 sgnn7 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@doodlesbykumbi @sgnn7