Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] Add ssl certs to scratch image #171

Merged
merged 1 commit into from
Dec 16, 2024
Merged

[fix] Add ssl certs to scratch image #171

merged 1 commit into from
Dec 16, 2024

Conversation

amgxv
Copy link
Contributor

@amgxv amgxv commented Dec 10, 2024

Hi!

First of all, thanks for this tool, it's awesome and works pretty well!
I wanted to use the docker image just to create a containerized job to export credentials but i found that it was failing to verify the SSL cert. (using -k works)

 ✘ andres@andres-ThinkPad-E14-Gen-2  ~/workspace/forks/medusa   main  docker run -it -e "VAULT_ADDR=https://vault.example.com/" -e "VAULT_TOKEN=XXXXX" ghcr.io/jonasvinther/medusa:0.7.2 export common/alloy/
Get "https://vault.example.com/v1/sys/internal/ui/mounts/common/alloy": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error: Get "https://vault.example.com/v1/sys/internal/ui/mounts/common/alloy": tls: failed to verify certificate: x509: certificate signed by unknown authority
Usage:
  medusa export [vault path] [flags]

Flags:
  -e, --encrypt              Encrypt the exported Vault data
  -m, --engine-type string   Specify the secret engine type [kv1|kv2] (default "kv2")
  -f, --format string        Specify the export format [yaml|json] (default "yaml")
  -h, --help                 help for export
  -o, --output string        Write to file instead of stdout
  -p, --public-key string    Location of the RSA public key

Global Flags:
  -a, --address string                Address of the Vault server
  -k, --insecure                      Allow insecure server connections when using SSL
      --kubernetes                    Authenticate using the Kubernetes JWT token
      --kubernetes-auth-path string   Authentication mount point within Vault for Kubernetes
  -n, --namespace string              Namespace within the Vault server (Enterprise only)
  -r, --role string                   Vault role for Kubernetes JWT authentication
  -t, --token string                  Vault authentication token

Get "https://vault.example.com/v1/sys/internal/ui/mounts/common/alloy": tls: failed to verify certificate: x509: certificate signed by unknown authority
  • ignore the URL (i need to filter it for security reasons)

Looks like the scratch docker image where the go binaries are copied is pretty minimalist and it looks like it doesn't contain the system SSL certs.

I've modified the Dockerfile adding the certificates provided by the ca-certificates package from apk and now it looks like it can validate the SSL certificate and establish a secure connection.

Thanks again!

@jonasvinther jonasvinther merged commit 9f08983 into jonasvinther:main Dec 16, 2024
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonasvinther jonasvinther jonasvinther approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amgxv @jonasvinther