openshift-dd-ext
openshift-dd-ext copied to clipboard
redhat-developer
Add option to skip TLS certificate verification
If behind a proxy, I get the following issue when trying to connect to our OpenShift cluster:
The error actually states what needs to be done to bypass this issue.
Use the --insecure-skip-tls-verify flag when using the oc command.
I just checked and saw that the CA certificate can also be specified via --certificate-authority.
We can check SSL certificate before starting oc command. If not trusted there would be confirmation request to proceed. If confirmed oc would be executed with --insecure-skip-tls-verify option.
HttpResponse instance should contain 'socket.authorized' which would indicate for certs with unknown auth. I'll check if it works as expected and adjust workflow.
@fbricon We can start with settings page and add single option there for now:
- Add --insecure-skip-tls-verify to oc commands
We can provide more intelligent error handling later.
The code below does the check for certificate.
import https from 'https';
const options = {
host: 'api.crc.testing', // self signed certificate in chain
method: 'get',
path: '/',
port: 6443
};
const req = https.request(options, (res): void => {
console.log('Certificate Status: ', (res.socket as any).authorized );
});
req.on('error', error => {
console.error(error);
});
req.end();
Will print out console error
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1485:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket.EventEmitter.emit (domain.js:485:12)
at TLSSocket._finishInit (_tls_wrap.js:928:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'
The full list of errors is here
For host equals expired.badssl.com it prints out:
Error: certificate has expired
at TLSSocket.onConnectSecure (_tls_wrap.js:1485:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket.EventEmitter.emit (domain.js:485:12)
at TLSSocket._finishInit (_tls_wrap.js:928:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'CERT_HAS_EXPIRED'
oc seems to work fine with SELF_SIGNED_CERT_IN_CHAIN at least I don't get any errors when deploying image on local CRC provisioned OpenShift cluster. Need to check with oc code to see how it handle different kinds of certificate related errors.
Hi is there any update on that topic. I try to setup Docker Desktop with the openshift extension but all I get is the following message:
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
Is there any option available to bypass the security tls check? Im running the latest version of docker desktop and Openshift Extension.
Thanks
@acocalypso this is not fixed yet. You can workaround it by downloading 'oc' for your platform and run 'oc login' from terminal with '--certificate' or '--insecure-skip-tls-verify'. Then select that context in extension and it will work with what 'oc login' put in ~/.kube/config.
Added a checkbox to add --insecure-skip-tls-verify to oc login in #76. The certificate verification can be done in another PR (should it be a separate issue?)
@dgolovin do we need to pass the flag to all oc commands or doing it once during login is sufficient?
@fbricon good question! I checked the docs and looks like it needs to be passed to all oc commands (e.g. oc api-versions). I've updated the PR to do so