kapitan icon indicating copy to clipboard operation
kapitan copied to clipboard
verified publisher icon kapicorp

[BUG] v0.30.0-rc.0 unable to reveal with vault using python 3

Open Moep90 opened this issue 4 years ago • 3 comments

Describe the bug/feature

We're using self-signed certificates with our vault. Running docker using this script by @ademariag with a few vault additions

#!/bin/bash
set -o nounset -o pipefail -o noclobber -o errexit

DIR=$(dirname ${BASH_SOURCE[0]})
ABS_PATH=$(cd "${DIR}"; pwd)

KAPITAN_IMAGE=kapicorp/kapitan:v0.30.0-rc.0

if hash kapitan 2> /dev/null
then
  KAPITAN_BINARY=kapitan
else
  KAPITAN_BINARY="docker run --rm -i -u $UID --network host -w /src \
  -e VAULT_TOKEN=${VAULT_TOKEN} \
  -e VAULT_SKIP_VERIFY=true \
  -e PYTHONHTTPSVERIFY=0 \
  -v $PWD:/src:delegated \
  ${KAPITAN_IMAGE}"
fi

exec ${KAPITAN_BINARY} "$@"

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.exmple.com', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

To Reproduce Steps to reproduce the behavior:

  1. ./kapitan compile --fetch --reveal
  2. requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.exmple.com', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

Expected behavior In v0.29.x PYTHONHTTPSVERIFY=0 works well. My research told me that python3 doesn't have this particular flag anymore :man_shrugging:

** If it's a bug (please complete the following information):**

  • docker -> kapicorp/kapitan:v0.30.0-rc.0

Additional context https://github.com/kapicorp/kapitan/releases/tag/v0.30.0-rc.0

Moep90 avatar Aug 20 '21 08:08 Moep90

@Moep90, I believe this has to do with your SSL environment not having the correct certification authority setup. The PYTHONHTTPSVERIFY=0 was good for testing, but the correct solution is to make your private CA available to python somehow.

The how depends on your system and how you run kapitan

ademariag avatar Sep 29 '21 07:09 ademariag

@ademariag your right.

We're using self-signed certificates with our vault.

Since we only use the container, we have to find ways to either provide our own CA into every container version of kapitan or mount them everytime or simply ignore the ssl-verify. Everything runs internal, so in this case, the certificate verification does not play a big role for us and is much simpler for us then updating the container on every run.

Moep90 avatar Sep 29 '21 10:09 Moep90