Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for custom CAs #11

Open
3 tasks
dcarlet opened this issue Mar 16, 2023 · 0 comments · May be fixed by #12
Open
3 tasks

Support for custom CAs #11

dcarlet opened this issue Mar 16, 2023 · 0 comments · May be fixed by #12
Labels
enhancement New feature or request

Comments

@dcarlet
Copy link

dcarlet commented Mar 16, 2023

When utilizing Artifactory, if the artifactory service you connect to is on a domain that isn't signed by the common CAs (common for airgapped environments), then Code Marketplace won't be able to connect to the Artifactory instance due to x509 errors:

2023-03-09 19:12:53.155 [ERROR] <artifactory.go:346> Error reading extensions {"request_id": "808d1d25-2b7b-4294-8d01-7aa47dc415e8", "error": "Get \"https://artifactory.local.domain/artifactory/api/storage/vscode-extensions?list\u0026deep=1\u0026depth=3\u0026listFolders=1\": x509: certificate signed by unknown authority"}

This could be solved by supporting custom CAs:
MVP:

  • Add ca-certificates to the dockerfile
  • Add helm values to allow the user to pass in a secret with all the required CAs, one per data element (PEM encoded).
  • Update deployment template to volume mount these secrets and run an update-ca-certificates at the start.

non-MVP Possible other changes:

  1. Figure out how to allow them to specify a set of secrets that contain one or more cert files, and process all of those.
dcarlet added a commit to dcarlet/code-marketplace that referenced this issue Mar 16, 2023
Updated Dockerfile to install ca-certificates
Updated the deployment.yaml and added:
    A poststart lifecycle hook to run `update-ca-certificates`
    volume definition certs that maps to .Values.certificates.secretName
    volumeMounts that mount the secret to /usr/local/share/ca-certificates/
    Both of these generate if persistence is enabled or not (to ensure that if neither persistence or artifactory are specified, but certificates is, that the yaml is still correct.
Updated the values.yaml to add
    certificates:
        secretName: ""
Along with some corresponding updates to the README.md files in root and helm chart.

TESTING:
Testing was accomplished by creating a separate Dockerfile which was just FROM the existing v1.2.1 image and adding ca-certificates.
A values file was created that:
1. Used this image
2. set certificates.secretName
3. Set ingress information
4. Set artifactory.enabled to true and configured it against my private artifactory.

Testing was positive:
```
/opt # ./code-marketplace -v add ms-python.python-2023.5.10672245.vsix --artifactory https://artifactory.local.domain/artifactory --repo vscode-extensions
2023-03-16 20:03:56.653 [INFO]<artifactory.go:88>Seeding manifest cache...
2023-03-16 20:03:56.717 [DEBUG]<artifactory.go:135>artifactory request{"path": "api/storage/vscode-extensions?list\u0026deep=1\u0026depth=3\u0026listFolders=1", "method": "GET", "took": "63.398861ms"}
2023-03-16 20:03:56.717 [DEBUG]<artifactory.go:178>parse list response{"took": "305.9µs"}
2023-03-16 20:03:56.718 [INFO]<artifactory.go:120>Seeded manifest cache{"count": 0, "took": "64.410262ms"}
2023-03-16 20:03:57.022 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension.vsixmanifest", "method": "PUT", "took": "290.632781ms"}
2023-03-16 20:03:57.165 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/CHANGELOG.md", "method": "PUT", "took": "142.379237ms"}
2023-03-16 20:03:57.295 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/dist/extension.browser.js", "method": "PUT", "took": "129.862626ms"}
2023-03-16 20:03:57.345 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/dist/extension.browser.js.LICENSE.txt", "method": "PUT", "took": "49.677148ms"}
2023-03-16 20:03:57.400 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/icon.png", "method": "PUT", "took": "55.143953ms"}
2023-03-16 20:03:57.454 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/LICENSE.txt", "method": "PUT", "took": "53.012451ms"}
2023-03-16 20:03:57.509 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/package.json", "method": "PUT", "took": "54.904753ms"}
2023-03-16 20:03:57.561 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/extension/README.md", "method": "PUT", "took": "45.820144ms"}
2023-03-16 20:03:58.209 [DEBUG]<artifactory.go:135>artifactory request{"path": "vscode-extensions/ms-python/python/2023.5.10672245/ms-python.python-2023.5.10672245.vsix", "method": "PUT", "took": "647.480824ms"}
Unpacked ms-python.python-2023.5.10672245 to https://artifactory.local.domain/artifactory/ms-python/python/2023.5.10672245
  - ms-python.python-2023.5.10672245 has 0 dependencies
  - ms-python.python-2023.5.10672245 is in a pack with 2 other extensions
    - ms-toolsai.jupyter
    - ms-python.vscode-pylance
```
@code-asher code-asher linked a pull request Mar 16, 2023 that will close this issue
@code-asher code-asher added the enhancement New feature or request label Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants