Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom certificate authority, to run behing a corporate firewall #4258

Open
slanglade opened this issue Nov 25, 2024 · 2 comments
Open

Add custom certificate authority, to run behing a corporate firewall #4258

slanglade opened this issue Nov 25, 2024 · 2 comments

Comments

@slanglade
Copy link

Describe the enhancement you'd like to see
I'm running Monokle behind a corporate proxy (Global Protect) that transparently manage all connections. So everything certificates from internet seems to be signed by the proxy's own authority. This works if the tool you're using (browser, jvm etc.) is aware of this custom authority.
I need to have a way to add this CA to Monokle in order to be able to work with it. Currently, Monokle is totally useless.

Additional context
There is no way I can disable or change the proxy, this is a corporate choice and mandatory config.
@github-project-automation github-project-automation bot moved this to No Status in Monokle Desktop Nov 25, 2024
@Styxxy
Copy link

Styxxy commented Dec 18, 2024
edited
Loading

I am in the same situation, but it works. I did do following:

  1. Create your own CA bundle, including your firewall certificate/CA. (I created a custom scheduled task in Powershell to extract all CA's from the Windows Certificate Store and bundle them into a CA bundle.
  2. Set the appropriate Environment Variables pointing to your CA bundle.
  3. The node runtime should pick up the EnvVar and use that CA bundle to validate SSL certs.

Following environment variables can be used I believe:

HTTPS_CERT_FILE=mycabundle.crt
NODE_EXTRA_CA_CERTS=mycabundle.crt
SSL_CERT_FILE=mycabundle.crt

I would bet on the NODE_EXTRA_CA_CERTS environment variable 😉.

@slanglade
Copy link
Author

slanglade commented Jan 2, 2025
edited
Loading

I've tried to use the NODE_EXTRA_CA_CERTS pointing to a pem file with all custom / local PKI certificates, to no avail : it still fails with "self signed certificate" error. In fact, I have to use the dreaded "NODE_TLS_REJECT_UNAUTHORIZED=0" to suppress all errors regarding bad certificates.

But the bad news is that even with the setting above and no more self signed error, the connection to the cluster is still failing when I click on the button to connect to one of my context, with a "HTTP Error: HTTP request failed" and no more details or log entries. Please note that kubectl or k9s are working fine from the same environment, without any custom parameter / environment variable.

I'm totally lost, as I don't have any specifics about what's going on. Is there a way to have more details about the error ?

@slanglade slanglade mentioned this issue Feb 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Monokle Desktop
Status: No Status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slanglade @Styxxy