Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate server cert against ca cert for registry mirror #2414

Merged
merged 1 commit into from
Jun 17, 2022
Merged

Validate server cert against ca cert for registry mirror #2414

merged 1 commit into from
Jun 17, 2022

Conversation

vivek-koppuru
Copy link
Member

Issue #, if available:
#1857

Description of changes:
As described in the issue above, we weren't checking for the validity of the cert if the caCert passed in is not the self-signed server cert instead. This allows for checking the validity of the cert against the server itself instead of just checking for whether the cert is valid without actually making a call to the server. Also modified the unit tests to spin up a test http server to test the cert setup.

Testing (if applicable):
Ran against ci registry mirror configuration and another public one

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@eks-distro-bot eks-distro-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 15, 2022
@codecov
Copy link

codecov bot commented Jun 15, 2022
edited
Loading

Codecov Report

Merging #2414 (ac87715) into main (4aab6d5) will increase coverage by 0.02%.
The diff coverage is 84.61%.

@@            Coverage Diff             @@
##             main    #2414      +/-   ##
==========================================
+ Coverage   56.94%   56.96%   +0.02%     
==========================================
  Files         306      306              
  Lines       24844    24868      +24     
==========================================
+ Hits        14147    14166      +19     
- Misses       9399     9400       +1     
- Partials     1298     1302       +4
Impacted Files Coverage Δ
pkg/crypto/validator.go 82.92% <83.33%> (+25.03%) ⬆️
pkg/validations/cluster.go 87.50% <100.00%> (-0.38%) ⬇️
pkg/providers/tinkerbell/create.go 50.00% <0.00%> (-2.90%) ⬇️
pkg/providers/tinkerbell/stack/stack.go 82.03% <0.00%> (-1.20%) ⬇️
.../api/v1alpha1/tinkerbelltemplateconfig_defaults.go 99.00% <0.00%> (-1.00%) ⬇️
...g/api/v1alpha1/tinkerbelldatacenterconfig_types.go 5.26% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4aab6d5...ac87715. Read the comment docs.

@g-gaston g-gaston self-requested a review June 15, 2022 17:49
@vivek-koppuru
Copy link
Member Author

/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vivek-koppuru

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

g-gaston
g-gaston reviewed Jun 16, 2022
View reviewed changes
pkg/crypto/validator.go Outdated Show resolved Hide resolved
pkg/crypto/validator.go Outdated Show resolved Hide resolved
pkg/crypto/validator_test.go Show resolved Hide resolved
pkg/validations/cluster.go Outdated Show resolved Hide resolved
@vivek-koppuru vivek-koppuru force-pushed the cert-verify branch 2 times, most recently from 6696369 to 85c36ad Compare June 16, 2022 19:01
@vivek-koppuru vivek-koppuru mentioned this pull request Jun 16, 2022
Merged
@vivek-koppuru vivek-koppuru force-pushed the cert-verify branch 6 times, most recently from 611b6da to 769b0a6 Compare June 16, 2022 22:27
@eks-distro-bot eks-distro-bot merged commit 46e40b9 into aws:main Jun 17, 2022
wongni pushed a commit to wongni/eks-anywhere that referenced this pull request Jun 21, 2022
@vivek-koppuru @wongni
Validate server cert against ca cert for registry mirror (aws#2414)
b519b24
@vivek-koppuru vivek-koppuru deleted the cert-verify branch January 26, 2024 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@g-gaston g-gaston g-gaston approved these changes

Assignees

@g-gaston g-gaston

Labels
approved documentation lgtm size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vivek-koppuru @eks-distro-bot @g-gaston