Open kalbfled opened 1 year ago
Hey team! Please add your planning poker estimate with Zenhub @cris-oddball @EvanParish @ianperera @jakehova @kalbfled @ldraney
@kalbfled please add acceptance criteria
This might be related to the recent problem wherein we update the certs lambda layer, successfully deployed it with Terraform, and later discovered that the layer wasn't actually updated in AWS. That issue has been resolved. Maybe the workaround isn't necessary anymore.
@k-macmillan @mjones-oddball Please see Dave's note above. Sounds like this ticket is no longer needed?
@kalbfled I see you mentioned it "might be" related and "maybe" isn't necessary anymore. Is there a simple way to validate to know for sure?
@mjones-oddball Sorry for the late response. I have the original code commented out in the lambda function. The simple way is to uncomment it, deploy the lambda, and see if it works.
@kalbfled based on your last comment it sounds like some changes are needed to the ticket description under the checkboxes section. Can you update please? Is there any information we need to provide around how to test this? If you took the ticket I understand you'd know how to do it, but another engineer might need more context.
updated
@kalbfled we need a way to validate this. can you please add something about validation?
@kalbfled we need a way to validate this. can you please add something about validation?
Done.
I am duplicating the relevant code without the workaround in the new lambda for notification-kafka 3. If it works, we will have the answer for this ticket.
UPDATE: It didn't work.
Keeping.
Timeboxed to 1/2 day! If the resolution still is unknown let's sync and discuss strategy/priority.
Describe the bug
The VA Profile opt-in/out lambda contains code that populate the SSL environment with all the CA certificates in a given folder using the "capath" parameter to ssl.create_default_context. As the code comments state, nothing is being loaded using the approach.
To workaround the problem, we are instead loading two certificates directly using the "cafile" parameter instead. This works, but the specific CA certificates being loaded eventually will need to change again when VA Profile updates their server certificate. The best solution would be a working revision of the "capath" approach.
Possible Solution
Please read the issue description and comments for vanotify-team 518. The CA certificates are made available to the lambda as part of a layer, and it's possible that the lambda didn't actually update in AWS, as was the case with with the .pem file update.
If the .zip files' contents match, this "possible solution" is not going to work. Otherwise, execute these steps:
Expected behavior
The lambda execution environment has access to all CA certificates in the "VA_CAs" layer using "capath".
Impact
The current workaround means that the next CA chain change will require code changes again. Without the workaround, only the lambda layer will need to update.
Validation