feat(TLS): Support certificate authority flag #7
Conversation
| - name: Generate TLS Certs | ||
| run: ./.github/workflows/scripts/tls.sh | ||
| env: | ||
| MAIN_IP: ${{ env.MAIN_IP }} |
There was a problem hiding this comment.
This generates the certificates for CI usage. MAIN_IP is required because BindPlane's server certificate is created with IP SANS.
| - name: Set CA certificate | ||
| run: | | ||
| { | ||
| echo 'TLS_CA_CERT<<EOF' | ||
| cat step/ca.crt | ||
| echo EOF | ||
| } >> "$GITHUB_ENV" |
There was a problem hiding this comment.
This was annoying to figure out. This syntax allows us to output a multi line file to an environment variable. This environment variable will be used to configure the new TLS option on the action, similar to using a secret.
| -p 3001:3001 \ | ||
| -v $(pwd)/step/bindplane.crt:/bindplane.crt \ | ||
| -v $(pwd)/step/bindplane.key:/bindplane.key \ | ||
| -v $(pwd)/step/ca.crt:/ca.crt \ |
There was a problem hiding this comment.
The CA is mounted inside the container despite not being used by the BindPlane server. This allows docker exec to run cli commands within the container, with the --tls-ca flag.
| @@ -24,7 +25,7 @@ echo "Current branch is $BRANCH_NAME" | |||
| install_bindplane_cli() { | |||
| curl -Ls \ | |||
| -o bindplane.zip \ | |||
| https://storage.googleapis.com/bindplane-op-releases/bindplane/latest/bindplane-ee-linux-amd64.zip | |||
| https://storage.googleapis.com/bindplane-op-releases/bindplane/1.46.0/bindplane-ee-linux-amd64.zip | |||
There was a problem hiding this comment.
Hardcoding the bindplane version in order to pin it to the action release version. Our BindPlane release process has new instructions for updating this hardcoded version.
There was a problem hiding this comment.
1.46 contains a fix for TLS.
Added new
tls_ca_certoption to the action. See the README change for example usage.I updated CI to generate certificates on each run. The CI action will use the new TLS option to interface with BindPlane. This proves that it is working. Without the TLS option, I was getting errors due to certificate verification failure.