Send REST requests to endpoint using self-signed certificates

[gabriel-farache]

If I am sending a REST request using a function with openapi specs in the specs folder to an endpoint with self-signed certificates, I get a Java error:

 Error while retrieving transformation output: ApiException{code=0, responseHeaders=null, responseBody='null'}
	at dev.parodos.move2kube.ApiClient.invokeAPI(ApiClient.java:1019)
	at dev.parodos.move2kube.api.ProjectsApi.getProject(ProjectsApi.java:284)
	at dev.parodos.move2kube.api.ProjectsApi.getProject(ProjectsApi.java:227)
	at dev.parodos.service.Move2KubeServiceImpl.waitForTransformationToBeDone(Move2KubeServiceImpl.java:64)
	at dev.parodos.service.Move2KubeServiceImpl.getTransformationOutput(Move2KubeServiceImpl.java:43)
	at dev.parodos.service.Move2KubeServiceImpl_ClientProxy.getTransformationOutput(Unknown Source)
	at dev.parodos.SaveTransformationFunction.saveTransformation(SaveTransformationFunction.java:55)
	at dev.parodos.SaveTransformationFunction_ClientProxy.saveTransformation(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at io.quarkus.funqy.runtime.FunctionInvoker.invoke(FunctionInvoker.java:123)
	at io.quarkus.funqy.runtime.bindings.knative.events.VertxRequestHandler.dispatch(VertxRequestHandler.java:571)
	at io.quarkus.funqy.runtime.bindings.knative.events.VertxRequestHandler.lambda$processCloudEvent$4(VertxRequestHandler.java:404)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...

Would it be possible to do that? Or is that not supported willingly?

[ricardozanini]

Can you try importing the selfsign public certs to your trusted default cacerts in this JVM? I believe this is just a matter of configuration instead of implementation.

I know there's a way to implement/use an alternate SSLFactory in the REST invocation side, but I'd rather stress the config approach first.

[gabriel-farache]

Well, the needs originates from testing workflows/orchestrator on cluster with self-signed certificates, so it's not like something that will always have the same certs (probably the Certificate Authority will be the same)
Is it possible in the sonataflow CR to specify an initContainer? I guess yes as it uses a pod template.

Taking that assumption, yes, it could be possible to load the certs and CA to the trust and key stores during init or post pod start but that's not very convenient when you want to test

[ricardozanini]

You can add the trusted authority cert to the cacerts and inject it into a base image in your cluster.