Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for disabling server TLS certificate verification when making API calls #312

Open
2 tasks
maxrake opened this issue Sep 13, 2023 · 0 comments
Open
2 tasks
Assignees
Labels
enhancement New feature or request medium priority This should be addressed soon needs triage Used to indicate that an issue hasn't been reviewed

Comments

@maxrake
Copy link
Contributor

maxrake commented Sep 13, 2023

Overview

Is your feature request related to a problem? Please describe.

This feature request came out of the Phylum Discord. The suggestion was due to a self-hosted GitLab instance that was refusing internal API requests from the runners where the phylum-ci GitLab CI integration was running:

SSLError: HTTPSConnectionPool(host='', port=): Max retries exceeded with url: /api/v4/projects/170/merge_requests/3/notes (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

The assumption is that the self-hosted GitLab instance is using self-signed certificates and the runner where the phylum-ci image is executed is not able to verify those certificates. Bypassing the verification in this situation would allow for notes to continue to be read and written to the merge request.

Describe the solution you'd like

Provide an ability to bypass server TLS certificate verification in the CI integrations. This should be specifically for connections to internal, self-hosted CI instances (e.g., GitLab EE) and not for all connections (e.g., to Phylum).

Describe alternatives you've considered

None at this time.

Additional context

This may be better implemented with a custom environment variable and not with a new CLI flag. That way, it won't show up in the help output and it's use will have to be more intentional since bypassing security checks is not something to be done without understanding the consequences. If so, advertise the existence of this feature in documentation.

Acceptance criteria

  • API calls to servers with self-signed certificates are allowed when the environment variable is set
  • Documentation is updated
@maxrake maxrake added enhancement New feature or request medium priority This should be addressed soon needs triage Used to indicate that an issue hasn't been reviewed labels Sep 13, 2023
@maxrake maxrake self-assigned this Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request medium priority This should be addressed soon needs triage Used to indicate that an issue hasn't been reviewed
Projects
None yet
Development

No branches or pull requests

1 participant