fix: ensure CA trust remains when using tlsRejectUnauthorized

snyk · Jul 15, 2024 · 895d232 · 895d232
1 parent 92a98a4
commit 895d232
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 4 deletions.
diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml
@@ -428,8 +428,7 @@ spec:
             - name: HTTPS_KEY
               value: /home/node/tls-cert/tls.key
          {{- end }}
-
-         {{- if .Values.tlsRejectUnauthorized  }}
+         {{- if or ( and .Values.tlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }}
          # Troubleshooting - Set to 0 for SSL inspection testing
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"

diff --git a/charts/snyk-broker/tests/broker_deployment_ca_test.yaml b/charts/snyk-broker/tests/broker_deployment_ca_test.yaml
@@ -162,3 +162,94 @@ tests:
         documentSelector:
           path: metadata.name
           value: RELEASE-NAME-snyk-broker-cacert-secret
+
+  - it: explicitly disables CA trust
+    set:
+      caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----"
+      disableCaCertTrust: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CA_CERT
+            value: "/home/node/cacert/cacert"
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_EXTRA_CA_CERTS
+            value: "/home/node/cacert/cacert"
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: RELEASE-NAME-snyk-broker-cacert-volume
+            mountPath: /home/node/cacert
+            readOnly: true
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: RELEASE-NAME-snyk-broker-cacert-volume
+            secret:
+              name: RELEASE-NAME-snyk-broker-cacert-secret
+        template: broker_deployment.yaml
+      - equal:
+          path: data.cacert
+          value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
+        template: secrets.yaml
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-snyk-broker-cacert-secret
+
+
+  - it: does not disables CA trust if tlsRejectUnauthorized is true
+    set:
+      caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----"
+      tlsRejectUnauthorized: "0"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CA_CERT
+            value: "/home/node/cacert/cacert"
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_EXTRA_CA_CERTS
+            value: "/home/node/cacert/cacert"
+        template: broker_deployment.yaml
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: RELEASE-NAME-snyk-broker-cacert-volume
+            mountPath: /home/node/cacert
+            readOnly: true
+        template: broker_deployment.yaml
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: RELEASE-NAME-snyk-broker-cacert-volume
+            secret:
+              name: RELEASE-NAME-snyk-broker-cacert-secret
+        template: broker_deployment.yaml
+      - equal:
+          path: data.cacert
+          value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
+        template: secrets.yaml
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-snyk-broker-cacert-secret
diff --git a/charts/snyk-broker/values.schema.json b/charts/snyk-broker/values.schema.json
@@ -262,11 +262,20 @@
     "caCertFile": {
       "type": "string"
     },
+    "disableCaCertTrust": {
+      "type": "boolean"
+    },
     "tlsRejectUnauthorized":{
-      "type": "string",
+      "type": [
+        "string",
+        "boolean"
+      ],
       "enum":[
         "",
-        "0"
+        "0",
+        "false",
+        false,
+        "disable"
       ]
     },
     "httpProxy":{

diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml
@@ -235,6 +235,9 @@ caCert: ""
 # caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----"
 caCertFile: ""
 
+# Set to `true` to disable trust validation when providing your own CA certificate.
+disableCaCertTrust: false
+
 # Set to "0" to disable trust validation when using self signed certificates.
 tlsRejectUnauthorized: ""