UberKitten
commented
1 year ago Notably, the default behavior I suggested can be achieved by editing .conjurrc and removing the cert_file: line. This behavior is already the default in one sense, but you can't choose this behavior through the CLI itself.
Is your feature request related to a problem? Please describe.
In my company, Conjur is deployed as a central service by IT. The service uses globally trusted TLS certificates. These certificates are regularly updated by IT with no advance warning to me.
When Conjur's certificates are updated, the CLI refuses to connect to the Conjur server. I have to override the hard-coded certificate. This makes it difficult to use the CLI in automation workflows, scripts, and applications as they will fail often.
Describe the solution you would like
By default, the CLI should not pin HTTPS certificates. This matches how most of the Conjur tools work (all the SDKs, Jenkins plugin, probably others). This matches industry best practices. The existing behavior could be preserved behind an option to
conjur initlike--pin-cert.This way, I can use the Conjur CLI from applications and scripts without having to worry about the command failing when certificates are replaced. This would also mean that when you run
conjur init --force, there is no longer any user input needed. This matches the common usage of--forceby most CLI tools.Describe alternatives you have considered
Alternatively, the default behavior could remain, and an option like
--no-pin-certcould be added toconjur init. This flag would also have to be represented in.conjurrc.Additional context
Currently, the best way to use the Conjur CLI from a script or tool is to always run the following when starting:
This is kind of silly.