-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support secured devfile registries / index.jsons in odo #2893
Comments
Self-signed certificates are insecure. By default, odo needs to fail if a self-signed or otherwise invalid or untrusted certificate is used.
we should define how devfile registry will look like first. Is it going to be always a git repository? Simple HTTP(S) server serving static files? Or should we define some API for it? /triage needs-information |
I agreed that self-signed certs are by definition insecure and should fail by default, but I do hit them regularly enough in dev systems. IMHO there should be an option to accept them, e.g. similar to "curl --insecure". I also agree we should discuss where/how the registry can be hosted, and what the client requirements are. This should be a discussion along with other devfile registry clients so I've just opened an issue to discuss: devfile/api#39. We have an internal security team that is recommending support for several scenarios. There's a meeting later today, we can try to distill this and provide more specific examples of the environments that we think it should support. |
The current picture for a devfile registry is not much clear, We could assume that in any form, we need to provide authentication parameters to odo, As with the current code odo access registry when it downloads
|
It might be a little bit early for this. We still don't know how the registry will be secured. |
Agreed it is still early to decide, lets wait for registry structure to be finalized. |
There 3 scenarios that we need to consider cover for accessing secure devfile repos:
|
Couple of things we need to confirm before creating the design docs:
|
Draft Design Doc for Secure Registry SupportTable of contents Problem StatementCurrently odo only supports registry that is hosted by the platform that has publicly signed certificate, we should support secure registry so that user is able to store the confidential files to the registry and let registry host on the platform with certificate in user's trust store and need authentication on user side to access the platform. TerminologyRegistry: registry is the place that stores index file (index.json) and devfile (devfile.yaml) so that user can catalog and create devfile component from the registry. The registry itself can be hosted on GitHub (GitHub-hosted registry) or Cluster (Cluster-hosted registry) Authentication method (Credential):
Proposed DesignSupport Scenarios:
Context:
Work flow to access secure registry:
Related issuesDynamic registry support: #2940 |
Design proposal: #3329 |
@GeekArthur, is there any ID work needed for this issue? Thanks! |
@j-c-berger Yes, there are some ID related work but that can start once the feature is done, currently the feature is still in design proposal stage. Also I think the ID work should be done by Red Hat ID team as it's odo feature, or that should be done by you? |
@GeekArthur, thanks for getting back. I see how it's a good idea for Red Hat ID to cover the doc work since it's an odo feature. My ID team has several meetings lined up in the next couple days. ID will discuss who should take up the doc work for this issue then get back to you. Thanks! |
Okay, thanks! FYI, usually for each odo release, Red Hat ID team is gonna review and work on the documentation if it's needed. |
One thing to note that this item only covers secure devfile repo and download of the devfile. The support of the sample applications coming from a stack in a secured repo is not covered as part of this item. |
/remove-triage needs-information |
/triage ready |
Issue is open to track support downloading starter project from secure repository/host: #3567 |
/kind user-story
/area devfile
User Story
Currently, odo supports devfile registries that are running behind publicly signed certificates and don't require any authentication. As a user, I want to be able to use odo with devfile registries / index.jsons that may be behind self-signed certs and/or require authentication, via a username/password or personal access token.
Acceptance Criteria
--insecure
)This item only handles the secure devfile registry and download of the devfile from the secure registry. It does not handle the sample application being stored under a secure repo.
CC @elsony @deboer-tim
The text was updated successfully, but these errors were encountered: