Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for private CA on the Agent side #3494
Allow for private CA on the Agent side #3494
Changes from all commits
3add046
abbce29
8b0a349
f25cacf
a088575
aab4a16
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this code up-to-date with our current thinking?
As the code now stands (AFAICT), if we specify
server
, then we ignore theserver_ca
option in the config file, and we'll depend onREQUESTS_CA_BUNDLE
if an override is needed; if, instead, we pull theuri
from the config file, then we'll honorserver_ca
if it is provided...why the bifurcation? Why not use the config file CA value in both cases if it is provided? Or, why have theserver_ca
option at all when the user can useREQUESTS_CA_BUNDLE
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The config file defines a server and optionally a CA to go with that server. If you don't create a custom config file and use
--server
, there's not going to be aserver_ca
anyway. But if you have a config file, even with aserver_ca
, we can't necessarily assume that the--server
target cert uses that CA.So basically, config file server goes with config file CA; while
--server
goes withREQUESTS_CA_BUNDLE
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unclear why we need this change and why it's better than just relying on
REQUESTS_CA_BUNDLE
for both cases. 🤷There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So your idea is that if someone installs the Agent RPM and relies on a server configured in
pbench-agent.cfg
so they can justpbench-results-move
(e.g., the passthrough server) we should still require them to put a customizedREQUESTS_CA_BUNDLE
in the environment?Granted, in the long run, we don't want to force users to rely on private CA certs at all, but this still seems worth doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking is that, in production, access to the Pbench Server will require only publicly-available and trusted CAs (for some definition of "public"...e.g., "Red Hat internal", perhaps...), and so no specific action (e.g., defining
REQUESTS_CA_BUNDLE
) on the part of the user would be required.For Staging, we should be operating in a similar environment (i.e., behind the IntLab proxies and using IntLab-signed or RH-IT-signed certs).
So, it's only for func-test and development that we would need to be using our private CA. "Normal users" wouldn't need it, unless they are working with bits that are too hot for Staging.
And, I think we have func-test already covered. So, it all really boils down to how do we support our developers. And, for that, I think we can rely on defining
REQUESTS_CA_BUNDLE
(and, we can probably do it implicitly inside a wrapper script or two, so it doesn't have to be reflected at all in the actual Agent or Server code).