Bug 1572452

I do not think this is a bug. You ran `apb list --secure` which is running SSL verification. If you do not have the certs installed on your machine then this will fail. If you are working on a machine that has signed certs which you can validate against then it will succeed. I'm leaning towards simply deprecating this as I don't see anyone using this feature and most developers are working on a cluster with self-signed certs.

Can you confirm that you were running this command on a cluster with self signed certs? The --secure flag does SSL verification.

Sentiment from the team was to *not* deprecate this. This is working as expected so I am inclined to say this is not a bug. I can add a better error handling message but there really is no bug here.

Dylan, In my understanding, our cluster has signed certs so that I ran this command on the master node of a cluster it should successful, but it failed.
To be honest, I don't konw how to confirm a cluster with self signed certs or not. Could you tell me?

I try to ran:
# openssl s_client -showcerts -connect 172.16.120.102:8443
CONNECTED(00000003)
depth=1 CN = openshift-signer@1525332491
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=10.8.245.51
   i:/CN=openshift-signer@1525332491
...
    Start Time: 1525335033
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)


apb-1.2.5
oc v3.10.0-0.31.0

I run below command on master node. 

# apb list
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME                DESCRIPTION                                         
c7096dc1d495f408a998b366deb9a162  szh-hello-test-apb  deploys hello-test web application                  
143dd4d7062599acac6e48faf741a2af  szh-mariadb-apb     Mariadb apb implementation                          
bce98521431a3b8160252d5bca1b571d  szh-mediawiki-apb   Mediawiki apb implementation                        
              
# apb list --secure
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Below are my thoughts on this BZ.

Traditionally a CLI should default to secure and an option would be added for insecure.
If we did that then for the majority of use cases we see, a developer would be seeing failures on connecting and they'd need to add the insecure flag each time.  For this reason and since this tool is targetting developer workflows we've flipped the pattern so insecure is default mode of running and a user needs to specify --secure to validate the connection.

When we added the --secure flag we failed to allow the ability to specify the CA cert to verify the connection against.


For this BZ I recommend we add the ability to specify the CA cert to verify against. 
This would need to be the CA for the external endpoints on the k8s cluster.  

We could consider changing --secure to require a string argument which would be used as the path of the certificate. 


Work needed:
1) Add an option to obtain the path of the CA Certificate
2) Update the API calls to enable SSL_VERIFY and to use the specified CA Certificate

According to the python docs (http://docs.python-requests.org/en/master/user/advanced/) we can pass a path to the CA cert for the `verify` flag. So our current implementation shouldn't need much work. I want to change `--secure` to `--ca-path`. I'm not totally sure why we had this defaulted to a boolean because `verify` is not a true/false option for the requests package.

https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/pull/285

Correction to my earlier comment... verify *can* be a boolean but also accepts a path to a CA cert. The above PR is ready to go.

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16215987

I messed up, this was ready at the same time https://bugzilla.redhat.com/show_bug.cgi?id=1573714 was built downstream.

verified

# apb version
Version: apb-1.2.8

# apb list --secure 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

# apb list --ca-path /etc/origin/master/ca.crt 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME             DESCRIPTION                                         
0cd794ef27f565cc0e755585dbbcdcdc  local-my-01-apb  This is a sample application generated by apb init

# apb list --secure --ca-path /etc/origin/master/ca.crt 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME             DESCRIPTION                                         
0cd794ef27f565cc0e755585dbbcdcdc  local-my-01-apb  This is a sample application generated by apb init

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816