Skip to content

Fixes #27451: Allow configuring the HTTPS certificates #6575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Sep 4, 2025
Merged

Fixes #27451: Allow configuring the HTTPS certificates #6575

merged 13 commits into from
Sep 4, 2025

Conversation

@amousset
Copy link
Member

@amousset amousset commented Aug 27, 2025
edited
Loading

https://issues.rudder.io/issues/27451

Webapp side:

  • Adds a new global "HTTPS only" option
  • Renames "secure validation" / "cert name validation" to "cert validation"
  • Change the bahvior of the ca setting to load the content of the PEM file instead of passing the file path (this provides the value on nodes)

@amousset
Copy link
Member Author

amousset commented Aug 28, 2025

PR updated with a new commit

@amousset amousset changed the title Fixes #27451: Make the apache config configurable Fixes #27451: Allow configuring the HTTPS certificates Aug 28, 2025
@amousset
fixup! fixup! Fixes #27451: Make the apache config configurable
c011bf7 
Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 2, 2025

PR updated with a new commit

@amousset amousset marked this pull request as ready for review September 2, 2025 08:06
@amousset
Copy link
Member Author

amousset commented Sep 2, 2025

TODO minijinja

Fdall
Fdall reviewed Sep 2, 2025
View reviewed changes
policies/lib/tree/10_ncf_internals/modules/promises/download-shared-file
AUDIT="false"

define_class() {
echo "+$1"
Copy link
Contributor

@Fdall Fdall Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is it used for ?

@amousset
fixup! fixup! fixup! Fixes #27451: Make the apache config configurable
3acdc78 
Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 3, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! Fixes #27451: Make the apache config conf…
9fbb892 
…igurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! Fixes #27451: Make the apache conf…
c6d9ba9 
…ig configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! Fixes #27451: Make the apac…
b96b19a 
…he config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #27451: Make t…
8ed4550 
…he apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #27451:…
08ba53a 
… Make the apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes …
78eb645 
…#27451: Make the apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!…
33a745a 
… Fixes #27451: Make the apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

peckpeck
peckpeck reviewed Sep 4, 2025
View reviewed changes
policies/lib/tree/10_ncf_internals/modules/promises/download-shared-file
#
# Does hash comparison to avoid useless downloads.

# Uses the CFEngine module protocol.
Copy link
Member

@peckpeck peckpeck Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

really ?
it is called with commands:

peckpeck
peckpeck reviewed Sep 4, 2025
View reviewed changes
policies/lib/tree/30_generic_methods/file_from_shared_folder.cf
"${report_data.method_id}" usebundle => log_rudder_v4("${path}", "Copying ${path} from ${source}", "");

commands:
pass2.!pass3.rudder_https_only::
Copy link
Member

@peckpeck peckpeck Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't the logging missing ?

Copy link
Member Author

@amousset amousset Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is, this method does not work for noz

peckpeck
peckpeck reviewed Sep 4, 2025
View reviewed changes
relay/sources/apache/rudder-apache-relay-ssl.conf.j2
SSLCACertificateFile /var/rudder/lib/ssl/policy_server_ca.pem
{% endif %}

{% if classes.rudder_cert_validation is not defined %}
Copy link
Member

@peckpeck peckpeck Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if classes.rudder_cert_validation is defined but not vars.custom_ca_path there will be no SSLCACertificateFile i don't thinks that's expected

Copy link
Member Author

@amousset amousset Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK it uses the system CA store when no value is provided.

fanf
fanf reviewed Sep 4, 2025
View reviewed changes
Copy link
Member

@fanf fanf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scala parts seem good.

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!…
dde1fef 
… fixup! Fixes #27451: Make the apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset
Copy link
Member Author

amousset commented Sep 4, 2025
edited
Loading

Merging to be able to test the whole thing. I'll fix the file from shared folder method in an upcoming PR.

@Normation-Quality-Assistant
Copy link
Contributor

Normation-Quality-Assistant commented Sep 4, 2025

This PR is not mergeable to upper versions.
Since it is "Ready for merge" you must merge it by yourself using the following command:
rudder-dev merge https://github.com/Normation/rudder/pull/6575
-- Your faithful QA
Kant merge: "Happiness is not an ideal of reason, but of imagination."
(https://ci.normation.com/jenkins/job/merge-accepted-pr/106740/console)

@amousset
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!…
1dc3b94 
… fixup! fixup! Fixes #27451: Make the apache config configurable

Fixes #27451: Allow configuring the certificates
@amousset
Copy link
Member Author

amousset commented Sep 4, 2025

PR updated with a new commit

@amousset amousset merged commit 046c6a6 into Normation:branches/rudder/9.0 Sep 4, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fanf fanf fanf left review comments

@peckpeck peckpeck peckpeck left review comments

@Fdall Fdall Fdall left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@amousset @Normation-Quality-Assistant @fanf @peckpeck @Fdall