From 895d232db3e66769eaf2a75a72dd7353fd999057 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Mon, 15 Jul 2024 13:11:30 +0100 Subject: [PATCH] fix: ensure CA trust remains when using tlsRejectUnauthorized --- .../templates/broker_deployment.yaml | 3 +- .../tests/broker_deployment_ca_test.yaml | 91 +++++++++++++++++++ charts/snyk-broker/values.schema.json | 13 ++- charts/snyk-broker/values.yaml | 3 + 4 files changed, 106 insertions(+), 4 deletions(-) diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml index 8e1ff48..ba86159 100644 --- a/charts/snyk-broker/templates/broker_deployment.yaml +++ b/charts/snyk-broker/templates/broker_deployment.yaml @@ -428,8 +428,7 @@ spec: - name: HTTPS_KEY value: /home/node/tls-cert/tls.key {{- end }} - - {{- if .Values.tlsRejectUnauthorized }} + {{- if or ( and .Values.tlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }} # Troubleshooting - Set to 0 for SSL inspection testing - name: NODE_TLS_REJECT_UNAUTHORIZED value: "0" diff --git a/charts/snyk-broker/tests/broker_deployment_ca_test.yaml b/charts/snyk-broker/tests/broker_deployment_ca_test.yaml index 53c5c70..6a8aa3b 100644 --- a/charts/snyk-broker/tests/broker_deployment_ca_test.yaml +++ b/charts/snyk-broker/tests/broker_deployment_ca_test.yaml @@ -162,3 +162,94 @@ tests: documentSelector: path: metadata.name value: RELEASE-NAME-snyk-broker-cacert-secret + + - it: explicitly disables CA trust + set: + caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" + disableCaCertTrust: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + name: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + + - it: does not disables CA trust if tlsRejectUnauthorized is true + set: + caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" + tlsRejectUnauthorized: "0" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - notContains: + path: spec.template.spec.containers[0].env + content: + name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + name: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret diff --git a/charts/snyk-broker/values.schema.json b/charts/snyk-broker/values.schema.json index 67ea7fd..752746b 100644 --- a/charts/snyk-broker/values.schema.json +++ b/charts/snyk-broker/values.schema.json @@ -262,11 +262,20 @@ "caCertFile": { "type": "string" }, + "disableCaCertTrust": { + "type": "boolean" + }, "tlsRejectUnauthorized":{ - "type": "string", + "type": [ + "string", + "boolean" + ], "enum":[ "", - "0" + "0", + "false", + false, + "disable" ] }, "httpProxy":{ diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml index cb682b3..5ef5d80 100644 --- a/charts/snyk-broker/values.yaml +++ b/charts/snyk-broker/values.yaml @@ -235,6 +235,9 @@ caCert: "" # caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----" caCertFile: "" +# Set to `true` to disable trust validation when providing your own CA certificate. +disableCaCertTrust: false + # Set to "0" to disable trust validation when using self signed certificates. tlsRejectUnauthorized: ""