search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
15.02k stars 852 forks source link

[MongoDB] Unable to connect using with self signed certificates #420

Closed artyom-p closed 5 months ago

artyom-p commented 1 year ago

Describe the bug

We try to run the Infisical in Kubernetes and use our own MongoDB instance running in the cluster. Our instance is configured to use self-signed certs. Specifying external connection string in the Infisical helm chart

To Reproduce

  1. Run MongoDB with TLS on, and self-signed certs configured.
  2. Specify external MongoDB connection string for Infisical helm chart: 
    mongodbConnection:
  externalMongoDBConnectionString: "mongodb+srv://infisical:pwd@mongodb-svc.mongodb.svc.cluster.local/infisical?replicaSet=mongodb&ssl=true&sslInvalidHostNameAllowed=true&authSource=admin&authMechanism=SCRAM-SHA-256

Expected behavior

sslInvalidHostNameAllowed flag should instruct client to not validate self signed certificate domain

Screenshots

> infisical-api@1.0.0 start
> node build/index.js

2023-03-10T08:20:34.783Z [IFSC:backend-main] info: 

To improve, Infisical collects telemetry data about general usage.
This helps us understand how the product is doing and guide our product development to create the best possible platform; it also helps us demonstrate growth as we support Infisical as open-source software.
To opt into telemetry, you can set `TELEMETRY_ENABLED=true` within the environment variables.
2023-03-10T08:20:35.876Z [IFSC:backend-main] info: Server started listening at port 4000
(node:19) [MONGOOSE] DeprecationWarning: Mongoose: the `strictQuery` option will be switched back to `false` by default in Mongoose 7. Use `mongoose.set('strictQuery', false);` if you want to prepare for this change. Or use `mongoose.set('strictQuery', true);` to suppress this warning.
(Use `node --trace-deprecation ...` to show where the warning was created)
2023-03-10T08:20:35.879Z [IFSC:database] error: Unable to establish Database connection due to the error.
MongoParseError: option sslinvalidhostnameallowed is not supported
(node:19) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy

Platform you are having the issue on:

EKS 1.24

maidul98 commented 1 year ago

Hey @artyom-p thanks for bringing this up. At the moment, the default Infisical connection configuration doesn't account for TLS. We wanted to keep the to keep the connection string simple but I understand adding TLS would certainly add a layer of security when your instance of infisical is communicating with DB. I will bring this up with the team and let you know when we can plan for this in an up coming sprint. If possible, please use non TLS enabled db for the time being

sheensantoscapadngan commented 1 year ago

Hey @artyom-p. Can you try using tlsAllowInvalidHostnames=true instead? image

https://www.mongodb.com/docs/manual/reference/connection-string/

artyom-p commented 1 year ago

@sheensantoscapadngan works!

renatoaraujo commented 1 year ago

Hey @maidul98 is there any update on this issue? I am trying to use MongoDB Atlas with Infisical and use the TLS connection and this is quite a blocker :/

maidul98 commented 1 year ago

@renatoaraujo if you are able to put together a PR, i'm happy to review it. Just ensure that current functionality isn't effected

akhilmhdh commented 5 months ago

Closing as we moved away from monogdb