Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Template - x509: certificate signed by unknown authority #7790

Closed
mateoporcar opened this issue Feb 7, 2022 · 6 comments · Fixed by #7885
Closed

HTTP Template - x509: certificate signed by unknown authority #7790

mateoporcar opened this issue Feb 7, 2022 · 6 comments · Fixed by #7885
Labels
area/templates/http type/feature Feature request type/security Security related

Comments

@mateoporcar
Copy link

mateoporcar commented Feb 7, 2022
edited by agilgur5
Loading

Summary

What happened?

We are trying to make a request to an internal url with a custom ca certificate, but we get x509: certificate signed by unknown authority.

What you expected to happen?

The ability to skip tls verification or the ability to provide our internal ca certificate.

What executor are you using?

Emissary

Diagnostics

Paste the smallest workflow that reproduces the bug. We must be able to run the workflow.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: http-template-
spec:
  entrypoint: main
  templates:
    - name: main
      steps:
        - - name: get-internal-homepage
            template: http
            arguments:
              parameters: [{name: url, value: "https://internal-url.com"}]
    - name: http
      inputs:
        parameters:
          - name: url
      http:
        timeoutSeconds: 20 # Default 30
        url: "{{inputs.parameters.url}}"
        method: "GET" # Default GET
        headers:
          - name: "x-header-name"
            value: "test-value"
        successCondition: "response.body contains \"internal-home-page\"" # available since v3.3
        body: "test body" # Change request body

Argo Workflow Version: v3.3.0-rc3 and v3.2.8 (release)

# The workflow's pods that are problematic:
kubectl logs http-template-4vsp5-1340600742-agent

time="2022-02-07T19:07:21.319Z" level=info msg="Starting Workflow Executor" version=untagged
time="2022-02-07T19:07:21.321Z" level=info msg="Starting Agent" requeueTime=10s taskWorkers=16 workflow=http-template-4vsp5
time="2022-02-07T19:07:21.337Z" level=info msg="Watch workflowtasksets 200"
time="2022-02-07T19:07:21.354Z" level=info msg="TaskSet Event" event_type=ADDED workflow=http-template-4vsp5
time="2022-02-07T19:07:21.354Z" level=info msg="Processing task" nodeID=http-template-4vsp5-939548807
time="2022-02-07T19:07:21.415Z" level=info msg="Sending result" message="Get \"https://internal-url.com\": x509: certificate signed by unknown authority" nodeID=http-template-4vsp5-939548807 phase=Failed requeue=0s

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
@alexec
Copy link
Contributor

alexec commented Feb 7, 2022

I don't think this is a bug. I think this is the correct behaviour. Instead we need the following enhancements:

  • Support insecureSkipVerify for HTTP template.
  • Support import of CA certs into agent for HTTP template.

@alexec alexec added type/feature Feature request type/security Security related and removed type/bug triage labels Feb 7, 2022
@ogandoe
Copy link

ogandoe commented Feb 8, 2022

It would be great!!! having those options

@sarabala1979
Copy link
Member

#7390

@sarabala1979
Copy link
Member

sarabala1979 commented Feb 10, 2022
edited
Loading

Cert can be imported/mounted as k8s secrets into agent pods. HttpTemplate can have tlsConfig with list for secretsRefercences. Agent pods will mount all certs during the creation.

    - name: http
      inputs:
        parameters:
          - name: url
      http:
       tlsConfigs:
          insecureSkipVerify: false
           certs:
            - 
               secretKeyRef:
    	          name: corp-tls-sert
                   key: cert
            - 
               secretKeyRef:
    	          name: corp1-tls-sert
                   key:  cert.perm
       # url: https://dummy.restapiexample.com/api/v1/employees
       url: "{{inputs.parameters.url}}"

@sarabala1979
Copy link
Member

sarabala1979 commented Feb 11, 2022
edited by alexec
Loading 

    - name: http
      inputs:
        parameters:
          - name: url
      http:
        insecureSkipVerify: false
        # url: https://dummy.restapiexample.com/api/v1/employees
        url: "{{inputs.parameters.url}}"

@dpadhiar dpadhiar mentioned this issue Feb 15, 2022
Merged
alexec pushed a commit that referenced this issue Feb 16, 2022
@dpadhiar
feat: Support insecureSkipVerify for HTTP templates. Fixes #7790 (#7885)
ce00cd8 
Signed-off-by: Dillen Padhiar <[email protected]>
@sarabala1979 sarabala1979 mentioned this issue Mar 1, 2022
Closed
@agilgur5 agilgur5 changed the title HTTP Template - x509: certificate signed by unknown authority HTTP Template - x509: certificate signed by unknown authority Aug 8, 2024
@rossigee
Copy link

I'm hitting this now (v3.5.10). The documentation page for 'HTTP template' makes no mention of insecureSkipVerify or tlConfig. In fact, it doesn't cover TLS at all.

Am I missing something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/templates/http type/feature Feature request type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Support insecureSkipVerify for HTTP templates. Fixes #7790 dpadhiar/argo-workflows
5 participants
@alexec @rossigee @ogandoe @sarabala1979 @mateoporcar