search

apache / incubator-kie-kogito-runtimes

Kogito Runtimes - Kogito is a cloud-native business automation technology for building cloud-ready business applications.
http://kogito.kie.org
Apache License 2.0
491 stars 193 forks source link

Send REST requests to endpoint using self-signed certificates #3444

Open gabriel-farache opened 4 months ago

gabriel-farache commented 4 months ago

If I am sending a REST request using a function with openapi specs in the specs folder to an endpoint with self-signed certificates, I get a Java error:

 Error while retrieving transformation output: ApiException{code=0, responseHeaders=null, responseBody='null'}
    at dev.parodos.move2kube.ApiClient.invokeAPI(ApiClient.java:1019)
    at dev.parodos.move2kube.api.ProjectsApi.getProject(ProjectsApi.java:284)
    at dev.parodos.move2kube.api.ProjectsApi.getProject(ProjectsApi.java:227)
    at dev.parodos.service.Move2KubeServiceImpl.waitForTransformationToBeDone(Move2KubeServiceImpl.java:64)
    at dev.parodos.service.Move2KubeServiceImpl.getTransformationOutput(Move2KubeServiceImpl.java:43)
    at dev.parodos.service.Move2KubeServiceImpl_ClientProxy.getTransformationOutput(Unknown Source)
    at dev.parodos.SaveTransformationFunction.saveTransformation(SaveTransformationFunction.java:55)
    at dev.parodos.SaveTransformationFunction_ClientProxy.saveTransformation(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at io.quarkus.funqy.runtime.FunctionInvoker.invoke(FunctionInvoker.java:123)
    at io.quarkus.funqy.runtime.bindings.knative.events.VertxRequestHandler.dispatch(VertxRequestHandler.java:571)
    at io.quarkus.funqy.runtime.bindings.knative.events.VertxRequestHandler.lambda$processCloudEvent$4(VertxRequestHandler.java:404)
    at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
    at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
    at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...

Would it be possible to do that? Or is that not supported willingly?

ricardozanini commented 3 months ago

Can you try importing the selfsign public certs to your trusted default cacerts in this JVM? I believe this is just a matter of configuration instead of implementation.

I know there's a way to implement/use an alternate SSLFactory in the REST invocation side, but I'd rather stress the config approach first.

gabriel-farache commented 3 months ago

Well, the needs originates from testing workflows/orchestrator on cluster with self-signed certificates, so it's not like something that will always have the same certs (probably the Certificate Authority will be the same) Is it possible in the sonataflow CR to specify an initContainer? I guess yes as it uses a pod template.

Taking that assumption, yes, it could be possible to load the certs and CA to the trust and key stores during init or post pod start but that's not very convenient when you want to test

ricardozanini commented 3 months ago

You can add the trusted authority cert to the cacerts and inject it into a base image in your cluster.