Bug 1572452 - [APB] `apb list --secure` error. `--secure` flag needs ability to specify CA certificate
Summary: [APB] `apb list --secure` error. `--secure` flag needs ability to specify CA ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.10.0
Assignee: Dylan Murray
QA Contact: sunzhaohua
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-27 03:41 UTC by sunzhaohua
Modified: 2018-07-30 19:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-07-30 19:14:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:14:34 UTC

Description sunzhaohua 2018-04-27 03:41:32 UTC
Description of problem:
`apb list --ensure` error

Version-Release number of selected component (if applicable):
openshift v3.10.0-0.29.0
Version: apb-1.2.4

How reproducible:
Always

Steps to Reproduce:
1. Deploy servicecatalog and ASB in OCP cluster.
2. #apb list --secure


Actual results:
`apb list` is normal,  `apb list --secure` return error.


# apb list
ID                                NAME                   DESCRIPTION                                         
36077d69b057756261f2c43e6542a34b  local-hello-world-apb  deploys hello-world web application                 
b25061072afba2afdb54df7fc0f0f2ff  local-my-push-apb      This is a sample application generated by apb init  
ed5fa193279f5cb309769d5947187b76  local-my-remote2-apb   This is a sample application generated by apb init

# apb list --secure
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0425-fn0.qe.rhcloud.com/ansible-service-broker/v2/catalog
ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0425-fn0.qe.rhcloud.com/ansible-service-broker/v2/catalog
Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Expected results:
 `apb list --secure` could list apbs successful.

Additional info:

Comment 1 Dylan Murray 2018-05-01 13:29:14 UTC
I do not think this is a bug. You ran `apb list --secure` which is running SSL verification. If you do not have the certs installed on your machine then this will fail. If you are working on a machine that has signed certs which you can validate against then it will succeed. I'm leaning towards simply deprecating this as I don't see anyone using this feature and most developers are working on a cluster with self-signed certs.

Comment 2 Dylan Murray 2018-05-02 01:51:04 UTC
Can you confirm that you were running this command on a cluster with self signed certs? The --secure flag does SSL verification.

Comment 3 Dylan Murray 2018-05-02 15:41:13 UTC
Sentiment from the team was to *not* deprecate this. This is working as expected so I am inclined to say this is not a bug. I can add a better error handling message but there really is no bug here.

Comment 4 sunzhaohua 2018-05-03 08:33:01 UTC
Dylan, In my understanding, our cluster has signed certs so that I ran this command on the master node of a cluster it should successful, but it failed.
To be honest, I don't konw how to confirm a cluster with self signed certs or not. Could you tell me?

I try to ran:
# openssl s_client -showcerts -connect 172.16.120.102:8443
CONNECTED(00000003)
depth=1 CN = openshift-signer@1525332491
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=10.8.245.51
   i:/CN=openshift-signer@1525332491
...
    Start Time: 1525335033
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)


apb-1.2.5
oc v3.10.0-0.31.0

I run below command on master node. 

# apb list
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME                DESCRIPTION                                         
c7096dc1d495f408a998b366deb9a162  szh-hello-test-apb  deploys hello-test web application                  
143dd4d7062599acac6e48faf741a2af  szh-mariadb-apb     Mariadb apb implementation                          
bce98521431a3b8160252d5bca1b571d  szh-mediawiki-apb   Mediawiki apb implementation                        
              
# apb list --secure
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0502-45u.qe.rhcloud.com/ansible-service-broker/v2/catalog
Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Comment 5 John Matthews 2018-05-03 15:37:51 UTC
Below are my thoughts on this BZ.

Traditionally a CLI should default to secure and an option would be added for insecure.
If we did that then for the majority of use cases we see, a developer would be seeing failures on connecting and they'd need to add the insecure flag each time.  For this reason and since this tool is targetting developer workflows we've flipped the pattern so insecure is default mode of running and a user needs to specify --secure to validate the connection.

When we added the --secure flag we failed to allow the ability to specify the CA cert to verify the connection against.


For this BZ I recommend we add the ability to specify the CA cert to verify against. 
This would need to be the CA for the external endpoints on the k8s cluster.  

We could consider changing --secure to require a string argument which would be used as the path of the certificate. 


Work needed:
1) Add an option to obtain the path of the CA Certificate
2) Update the API calls to enable SSL_VERIFY and to use the specified CA Certificate

Comment 6 Dylan Murray 2018-05-08 16:42:53 UTC
According to the python docs (http://docs.python-requests.org/en/master/user/advanced/) we can pass a path to the CA cert for the `verify` flag. So our current implementation shouldn't need much work. I want to change `--secure` to `--ca-path`. I'm not totally sure why we had this defaulted to a boolean because `verify` is not a true/false option for the requests package.

Comment 8 Dylan Murray 2018-05-10 15:12:50 UTC
Correction to my earlier comment... verify *can* be a boolean but also accepts a path to a CA cert. The above PR is ready to go.

Comment 9 David Zager 2018-05-16 12:48:32 UTC
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16215987

I messed up, this was ready at the same time https://bugzilla.redhat.com/show_bug.cgi?id=1573714 was built downstream.

Comment 10 sunzhaohua 2018-05-17 07:43:21 UTC
verified

# apb version
Version: apb-1.2.8

# apb list --secure 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ERROR: Failed broker request (get) https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
Exception occurred! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

# apb list --ca-path /etc/origin/master/ca.crt 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME             DESCRIPTION                                         
0cd794ef27f565cc0e755585dbbcdcdc  local-my-01-apb  This is a sample application generated by apb init

# apb list --secure --ca-path /etc/origin/master/ca.crt 
Contacting the ansible-service-broker at: https://asb-1338-openshift-ansible-service-broker.apps.0517-sc3.qe.rhcloud.com/ansible-service-broker/v2/catalog
ID                                NAME             DESCRIPTION                                         
0cd794ef27f565cc0e755585dbbcdcdc  local-my-01-apb  This is a sample application generated by apb init

Comment 12 errata-xmlrpc 2018-07-30 19:14:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.