Flogo web-ui container certificates

TIBCOSoftware / flogo

Project Flogo is an open source ecosystem of opinionated event-driven capabilities to simplify building efficient & modern serverless functions, microservices & edge apps.

http://flogo.io

BSD 3-Clause "New" or "Revised" License

2.43k stars 287 forks source link

Flogo web-ui container certificates #192

Open btrepp opened 6 years ago

btrepp commented 6 years ago

Using a "Rest Service" inside flogos docker container results in "certificate signed by an unknown authority".

This is correct, the container won't know about internal certificates and would fail, but how do we inform the flogo container of certificates?. I'm on windows (and apparently the volume mounts for docker don't work for me on windows). So I can't just overlay new certificates.

Is there a cli flag we can supply to disable SSL verification?.

Currently the only solution I can think of is to maintain my own docker image that builds on the Flogo one?, and layers in the certificates my internal domain uses.

retgits commented 6 years ago

Hi! Just to check, when you say a rest service inside the Flogo docker container, is that a docker container you created with the Flogo executable in there (so after you’ve compiled the app), or the Flogo Web UI?

btrepp commented 6 years ago

Sorry I should have been more clearer.

Its the flogo web-ui that's failing. A red icon appears on the "Invoke Rest Service" Step, with the certificate error.

retgits commented 6 years ago

No worries! Just checking :)

Unfortunately I don’t believe there is a way to disable the ssl check done by the go code.

@mellistibco any thoughts on how you could add the certificates to the container? I guess you could do a docker build setting the FROM to the current Flogo Web image and use ADD to add the certificates, but perhaps you have a better idea?

vijaynalawade commented 6 years ago

@retgits : Ideally, there should be a place on REST invoke to enter the certificate or simply a toggle on Invoke activity UI to disable certificate validation by GO.

mellistibco commented 6 years ago

We can add a disable ssl validation option to the activity, but we should also expose an option to provide the cert tree in the event you do want to validate. I'll add this as an enhancement to the current rest activity.

btrepp commented 6 years ago

I've added it to a docker image, and this may even be the preferred solution. I think it's okay for the project as long as it makes it's way into some documentation.

Powershell to get a cert from windows

$cert = (Get-ChildItem -Path cert:\LocalMachine\Root\FINGERPRINT)

$certFile = 'pki.cer'

$content = @(
    '-----BEGIN CERTIFICATE-----'
    [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
    '-----END CERTIFICATE-----'
)

$content | Out-File -FilePath $certFile -Encoding ascii

Then layering that file into a alpine linux docker image

 cat Dockerfile
FROM flogo/flogo-docker:v0.5.1-hf01
COPY pki.cer /usr/local/share/ca-certificates/pki.crt
RUN update-ca-certificates