New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use HTTPS in gitops run S3 bucket server
#3106
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
use HTTPS in
gitops run S3 bucket server
When installing the dev bucket server on the cluster, it is now configured with a self-signed certificate generated on demand. The certificate is valid for 3 days which should be enough for a typical `gitops run` use case. Instead of using HTTP in the forwarding from the host machine into the bucket server pod, the CLI now uses HTTPS so that traffic can't be intercepted on its way between the developer's machine and the cluster. The certificate, after being generated, is put into a Kubernetes Secret which is in turn mounted into the bucket server pod.
- Loading branch information
commit ce2bbff0a3609c33396050ed544a5a21f8d0797f
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,7 +9,7 @@ GIT_COMMIT?=$(shell which git > /dev/null && git log -n1 --pretty='%h') | |
| VERSION?=$(shell which git > /dev/null && git describe --always --match "v*") | ||
| FLUX_VERSION=0.37.0 | ||
| CHART_VERSION=$(shell which yq > /dev/null && yq e '.version' charts/gitops-server/Chart.yaml) | ||
| DEV_BUCKET_CONTAINER_IMAGE=ghcr.io/weaveworks/gitops-bucket-server@sha256:8fbb7534e772e14ea598d287a4b54a3f556416cac6621095ce45f78346fda78a | ||
| DEV_BUCKET_CONTAINER_IMAGE?=ghcr.io/weaveworks/gitops-bucket-server@sha256:157fa617e893e3ab0239547d8f1e820664b10c849fbd652c7f8738920b842f13 | ||
| TIER=oss | ||
|
|
||
| # Go build args | ||
|
|
@@ -31,7 +31,7 @@ LDFLAGS?=-X github.com/weaveworks/weave-gitops/cmd/gitops/version.Branch=$(BRANC | |
| # Docker args | ||
| # LDFLAGS is passed so we don't have to copy the entire .git directory into the image | ||
| # just to get, e.g. the commit hash | ||
| DOCKERARGS:=--build-arg FLUX_VERSION=$(FLUX_VERSION) --build-arg LDFLAGS="$(LDFLAGS)" --build-arg GIT_COMMIT=$(GIT_COMMIT) | ||
| DOCKERARGS+=--build-arg FLUX_VERSION=$(FLUX_VERSION) --build-arg LDFLAGS="$(LDFLAGS)" --build-arg GIT_COMMIT=$(GIT_COMMIT) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is necessary so devs can provide flags to Docker's build process, e.g. |
||
| # We want to be able to reference this in builds & pushes | ||
| DEFAULT_DOCKER_REPO=localhost:5001 | ||
| DOCKER_REGISTRY?=$(DEFAULT_DOCKER_REPO) | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| package s3 | ||
|
|
||
| import ( | ||
| "crypto/tls" | ||
| "crypto/x509" | ||
| "fmt" | ||
| "net/http" | ||
|
|
||
| "github.com/minio/minio-go/v7" | ||
| "github.com/minio/minio-go/v7/pkg/credentials" | ||
| ) | ||
|
|
||
| func NewMinioClient(endpoint string, caCert []byte) (*minio.Client, error) { | ||
| tr, err := NewTLSRoundTripper(caCert) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed creating transport: %w", err) | ||
| } | ||
|
|
||
| return minio.New( | ||
| endpoint, | ||
| &minio.Options{ | ||
| Creds: credentials.NewStaticV4("user", "doesn't matter", ""), | ||
| Secure: true, | ||
| BucketLookup: minio.BucketLookupPath, | ||
| Transport: tr, | ||
| }, | ||
| ) | ||
| } | ||
|
|
||
| func NewTLSRoundTripper(caCert []byte) (http.RoundTripper, error) { | ||
| tr, err := minio.DefaultTransport(true) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed creating default transport: %w", err) | ||
| } | ||
|
|
||
| tr.TLSClientConfig = &tls.Config{ | ||
| // Can't use SSLv3 because of POODLE and BEAST | ||
| // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher | ||
| // Can't use TLSv1.1 because of RC4 cipher usage | ||
| MinVersion: tls.VersionTLS12, | ||
| } | ||
| rootCAs := mustGetSystemCertPool() | ||
|
|
||
| rootCAs.AppendCertsFromPEM(caCert) | ||
| tr.TLSClientConfig.RootCAs = rootCAs | ||
|
|
||
| return tr, nil | ||
| } | ||
|
|
||
| // mustGetSystemCertPool - return system CAs or empty pool in case of error (or windows) | ||
| func mustGetSystemCertPool() *x509.CertPool { | ||
| pool, err := x509.SystemCertPool() | ||
| if err != nil { | ||
| return x509.NewCertPool() | ||
| } | ||
|
|
||
| return pool | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This lets devs override the image by issuing