Bug 1572452
Summary: | [APB] `apb list --secure` error. `--secure` flag needs ability to specify CA certificate | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | sunzhaohua <zhsun> |
Component: | Service Broker | Assignee: | Dylan Murray <dymurray> |
Status: | CLOSED ERRATA | QA Contact: | sunzhaohua <zhsun> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.10.0 | CC: | aos-bugs, chezhang, dymurray, jiazha, jmatthew, zhsun, zitang |
Target Milestone: | --- | ||
Target Release: | 3.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-30 19:14:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sunzhaohua
2018-04-27 03:41:32 UTC
I do not think this is a bug. You ran `apb list --secure` which is running SSL verification. If you do not have the certs installed on your machine then this will fail. If you are working on a machine that has signed certs which you can validate against then it will succeed. I'm leaning towards simply deprecating this as I don't see anyone using this feature and most developers are working on a cluster with self-signed certs. Can you confirm that you were running this command on a cluster with self signed certs? The --secure flag does SSL verification. Sentiment from the team was to *not* deprecate this. This is working as expected so I am inclined to say this is not a bug. I can add a better error handling message but there really is no bug here. Dylan, In my understanding, our cluster has signed certs so that I ran this command on the master node of a cluster it should successful, but it failed. To be honest, I don't konw how to confirm a cluster with self signed certs or not. Could you tell me? I try to ran: # openssl s_client -showcerts -connect 172.16.120.102:8443 CONNECTED(00000003) depth=1 CN = openshift-signer@1525332491 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=10.8.245.51 i:/CN=openshift-signer@1525332491 ... Start Time: 1525335033 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) apb-1.2.5 oc v3.10.0-0.31.0 I run below command on master node. # apb list Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog ID NAME DESCRIPTION c7096dc1d495f408a998b366deb9a162 szh-hello-test-apb deploys hello-test web application 143dd4d7062599acac6e48faf741a2af szh-mariadb-apb Mariadb apb implementation bce98521431a3b8160252d5bca1b571d szh-mediawiki-apb Mediawiki apb implementation # apb list --secure Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Below are my thoughts on this BZ. Traditionally a CLI should default to secure and an option would be added for insecure. If we did that then for the majority of use cases we see, a developer would be seeing failures on connecting and they'd need to add the insecure flag each time. For this reason and since this tool is targetting developer workflows we've flipped the pattern so insecure is default mode of running and a user needs to specify --secure to validate the connection. When we added the --secure flag we failed to allow the ability to specify the CA cert to verify the connection against. For this BZ I recommend we add the ability to specify the CA cert to verify against. This would need to be the CA for the external endpoints on the k8s cluster. We could consider changing --secure to require a string argument which would be used as the path of the certificate. Work needed: 1) Add an option to obtain the path of the CA Certificate 2) Update the API calls to enable SSL_VERIFY and to use the specified CA Certificate According to the python docs (http://docs.python-requests.org/en/master/user/advanced/) we can pass a path to the CA cert for the `verify` flag. So our current implementation shouldn't need much work. I want to change `--secure` to `--ca-path`. I'm not totally sure why we had this defaulted to a boolean because `verify` is not a true/false option for the requests package. Correction to my earlier comment... verify *can* be a boolean but also accepts a path to a CA cert. The above PR is ready to go. https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16215987 I messed up, this was ready at the same time https://bugzilla.redhat.com/show_bug.cgi?id=1573714 was built downstream. verified # apb version Version: apb-1.2.8 # apb list --secure Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) # apb list --ca-path /etc/origin/master/ca.crt Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog ID NAME DESCRIPTION 0cd794ef27f565cc0e755585dbbcdcdc local-my-01-apb This is a sample application generated by apb init # apb list --secure --ca-path /etc/origin/master/ca.crt Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog ID NAME DESCRIPTION 0cd794ef27f565cc0e755585dbbcdcdc local-my-01-apb This is a sample application generated by apb init Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816 |