install behind a proxy with custom certificate

[finkr]

I tried to install helm push on a server behind a proxy.

However, it failed because the proxy has a custom certificate (HTTPS/TLS) interception.

The installation fails with:

$ helm plugin --debug --logtostderr  install https://github.com/chartmuseum/helm-push
[debug] cloning https://github.com/chartmuseum/helm-push to /home/test/.cache/helm/plugins/https-github.com-chartmuseum-helm-push
[debug] symlinking /home/test/.cache/helm/plugins/https-github.com-chartmuseum-helm-push to /home/test/.local/share/helm/plugins/helm-push
plugin_install.go:73: [debug] loading plugin from /home/test/.local/share/helm/plugins/helm-push
plugin.go:60: [debug] running install hook: /usr/bin/sh -c cd $HELM_PLUGIN_DIR; scripts/install_plugin.sh
Downloading and installing helm-push v0.7.1 ...
https://github.com/chartmuseum/helm-push/releases/download/v0.7.1/helm-push_0.7.1_linux_amd64.tar.gz
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: plugin install hook for "push" exited with error
helm.go:76: [debug] plugin install hook for "push" exited with error
main.runHook
        /home/circleci/helm.sh/helm/cmd/helm/plugin.go:67
main.(*pluginInstallOptions).run
        /home/circleci/helm.sh/helm/cmd/helm/plugin_install.go:79
main.newPluginInstallCmd.func2
        /home/circleci/helm.sh/helm/cmd/helm/plugin_install.go:50
github.com/spf13/cobra.(*Command).execute
        /go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:826
github.com/spf13/cobra.(*Command).ExecuteC
        /go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:914
github.com/spf13/cobra.(*Command).Execute
        /go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:864
main.main
        /home/circleci/helm.sh/helm/cmd/helm/helm.go:75
runtime.main
        /usr/local/go/src/runtime/proc.go:203
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1357

As a workaround, I have added --insecure option to curl command in this script (edit with vim):

~/.cache/helm/plugins/https-github.com-chartmuseum-helm-push/scripts/install_plugin.sh

Then I manually resumed the installation

$ cd ~/.cache/helm/plugins/https-github.com-chartmuseum-helm-push
$ bash     scripts/install_plugin.sh
Downloading and installing helm-push v0.7.1 ...
https://github.com/chartmuseum/helm-push/releases/download/v0.7.1/helm-push_0.7.1_linux_amd64.tar.gz

[jdolitsky]

@finkr we can probably make the --insecure flag configurable based on some environment variable

[finkr]

The problem is quite tricky...

The installer down 2 stuffs from the Internet.

• git clone https://github.com/chartmuseum/helm-push
• curl https://github.com/chartmuseum/helm-push/releases/download/v0.8.1/helm-push_0.8.1_linux_amd64.tar.gz (or wget as a fallback)

All three commands obeys https_proxy environment variables.

But Root CA is more complicated:

• [git](https://scripts.mit.edu/faq/146/how-can-i-avoid-typing-my-password-repeatedly-when-using-git-with-the-smart-http-transport] and wget uses openssl certificate
• curl uses... well ... that depends ! see https://curl.haxx.se/docs/sslcerts.html but if you are lucky, you can use --cacert /etc/pki/tls/cert.pem (some may need --proxy-cacert)

To workaround, I eventually create a config file (~/.curlrc), containing --insecure (some may need --proxy-insecure)

[ShivaSEO]

Installing software behind a proxy with a custom certificate typically involves configuring the proxy settings and installing the custom certificate on your system. The exact steps can vary depending on the operating system and software you are installing, but I'll provide a general guide that should work for most cases.

Here are the steps you can follow:

1. Obtain the custom certificate:

   If you don't already have the custom certificate, you'll need to obtain it from the system administrator or the entity that manages the proxy server.

2. Install the custom certificate:

   Double-click the custom certificate file (usually in .cer or .pem format) on your system.

   This should launch a certificate installation wizard. Follow the prompts to install the certificate.

   If asked, choose the certificate store as "Trusted Root Certification Authorities" or "Trusted Root Certification Authorities" based on your OS.

3. Configure the proxy settings:

   On Windows: Go to "Settings" > "Network & Internet" > "Proxy".

   Under "Manual proxy setup," enter the proxy server address and port provided by your network administrator.

   Optionally, you may need to configure specific proxy settings like bypass addresses, depending on your network setup.

On macOS:

Go to "System Preferences" > "Network" > select your active network connection on the left panel.
Click "Advanced" > "Proxies" tab.

Configure the necessary proxy settings, such as HTTP, HTTPS, FTP, etc. Use the proxy server address and port provided by your network administrator.

Optionally, you may need to configure bypass addresses if required by your network setup.

On Linux:

Proxy settings can vary based on the desktop environment or window manager you are using (e.g., GNOME, KDE, Unity).

In general, you can configure proxy settings in the "Network" or "Proxy" section of your system settings.

Use the proxy server address and port provided by your network administrator.

4. Install the software: Once the proxy settings and custom certificate are configured, proceed with the software installation as you normally would. The software installation should now be able to pass through the proxy using the custom certificate for secure communication.

Note: specific steps may differ based on your operating system, software, and network environment. Always refer to the documentation provided by the software vendor or your system administrator for precise instructions. Click on http vs https to know more about