Open JohnVillalovos opened 3 months ago
This is definitely not a chore, and I'm not fully on board with this change in its current form. Changes to the implementation will favor HTTPs over HTTP. This can create a huge blast radius if HTTPs is present but hidden behind self-signed certificates or even public CAs with recent changes to the certificate chain (e.g. recent changes to DigiCert).
This code explicitly uses all non-TLS variants to make sure we can actually spin up resources. From my perspective, this looks like a feature flag that needs to be explicitly enabled by the Beaker owner, as they need to make sure HTTPs is usable in their infrastructure.
WDYT @p3ck
This is definitely not a chore, and I'm not fully on board with this change in its current form. Changes to the implementation will favor HTTPs over HTTP. This can create a huge blast radius if HTTPs is present but hidden behind self-signed certificates or even public CAs with recent changes to the certificate chain (e.g. recent changes to DigiCert).
This code explicitly uses all non-TLS variants to make sure we can actually spin up resources. From my perspective, this looks like a feature flag that needs to be explicitly enabled by the Beaker owner, as they need to make sure HTTPs is usable in their infrastructure.
WDYT @p3ck
I agree that this should be turned on via a config flag.
Maybe support a config option to specify http_schemes
config.http_schemes = ['http']
When specifying the URL for the location of the distro for a lab controller, allow usage of
https
URLs.Previously you could add an
https
URL, but then when provisioning the system it would fail with the error: Command 1234566 aborted: No usable URL found for distro tree 123 in lab lab1.example.com