Comments (8)
dpb587-pivotal
commented on August 20, 2024
There was some previous discussion about this in cloudfoundry-attic/bosh-init#102 before the repo was forked. Might be helpful to read up on that for some additional context. We're trying very hard to avoid insecure setups with this new library.
Not familiar with your specific product, but is it truly a requirement to support insecure environments?
from bosh-cli.
craigfurman
commented on August 20, 2024
I appreciate the desire to avoid insecure setups, and agree that disabling TLS verification should be avoided even in development environments (and of course always in production). Unfortunately a flag to ignore cert verification is already a supported feature of our product, designed for development environments (e.g. bosh-lite provisioned through vagrant).
We would also prefer the URL that we give to the library not to be rewritten, so that if we give an http scheme, it is not changed to https by the library.
from bosh-cli.
dpb587-pivotal
commented on August 20, 2024
To be clear, bosh has always communicated over https with the director (never http). It's just that self-signed certificates were used if the operator didn't provide any, and there was lax trust policies in that case. Also, recent versions of bosh-lite are running with more trustable certificates that bosh-cli supports.
@cppforlife may have some thoughts as well with regards to your product requirements.
from bosh-cli.
cppforlife
commented on August 20, 2024
@craigfurman im opposed to adding -k like functionality to either library or cli. let's chat more about how to have you all switch to using verifiable certificates.
from bosh-cli.
craigfurman
commented on August 20, 2024
@cppforlife it isn't about as switching to globally verifiable certs as a development team, ignoring TLS verification (however inadvisable) is already a supported feature of an existing product of ours that interacts with bosh.
Unless we remove this feature we can't use this, unfortunately.
@dpb587-pivotal oops, I forgot about that! It might still be useful for URLs to not be rewritten, as it allows the CLI/library to interact with bosh web mocks that have no reason to serve TLS.
from bosh-cli.
avade
commented on August 20, 2024
The original reason for adding support for ignoring SSL errors was for the BOSH lite use case for local development.
Now that BOSH lite uses trustable certs for Vagrant, then we may be able to remove support for this feature in our product.
from bosh-cli.
cppforlife
commented on August 20, 2024
I'm going to consider this closed then based on Alex's response about bosh-lite.
from bosh-cli.
craigfurman
commented on August 20, 2024
@cppforlife I'm still against rewriting URLs, if for no other reason than simplifying the use of web-mocking the bosh API (no need to serve TLS from the mock).
from bosh-cli.
Related Issues (20)
- BOSH CLI commands to automatically add diego cell or Create VM on which containers can be deployed on . HOT 1
- [Question] About release v6.4.8 HOT 5
- Running deploy with a certain variable value panics HOT 3
- BOSH CLI on Windows platform is holding file lock on ssh-known-hosts file prevent ssh child process to read it HOT 4
- Release binaries for arm64 HOT 2
- Set the the ACL when uploading to S3 HOT 3
- Allow importing bosh-cli v6.4.2 as a dependency HOT 2
- TLS handshake failure occurs when downloading bosh-release HOT 2
- bosh upload-release (from source) ignores local changes HOT 2
- Specifying instances by index ambiguous HOT 3
- Updating package via bosh `vendor-package --prefix` does not honor prefix on dependent packages HOT 3
- Adding `--preview` parameter to bosh deploy command before commencing deployment HOT 5
- Creating releases with blobs are broken on Windows HOT 3
- Replace --force flag with --dev-release? HOT 7
- delete_stemcell is causing bosh CLI to fail when stemcell already does not exist HOT 2
- Is a internal ca certificate can be used for HOT 2
- [Windows] Missing bosh create-env support HOT 12
- Default interpolated x509 certificates have invalid 3 digits USA country code
- CLI crashes on trying to select multiple columns to print HOT 4
- bosh-cli didn't read the trailing zero '0' of stemcell version in manifest HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bosh-cli.