Add support for additional certificates in the generated pongo test image

[tomereli]

At PayPal, we have corporate proxies for which IT pre-installs the self-signed certificates in all laptops and working stations.
pongo run fails due to this - with SSL: CERTIFICATE_VERIFY_FAILED - self signed certificate in chain.

To fix this, need to add ce-certificates to the RUN apt install line in the Dockerfile, copy the self-signed certificates to the image, run update-ca-certificates and add ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to the Dockerfile.

Need to add support to inject the certificates to the CLI - perhaps this should be in the kong base image even, I'll let the Kong team decide.

[Tieske]

why would the REQUESTS_CA_BUNDLE env var be required? isn't that Python specific?

[tomereli]

It is Python specific, from my experience each app might behave differently when it comes to certificates, and since Pongo is using httpie which is written in Python, it is required, as Python doesn't use the system certificates by default - it requires explicitly adding them. This can be done using the REQUESTS_CA_BUNDLE env var, or with the certifi module as mentioned in https://github.com/python/cpython/blob/e05a703848473b0365886dcc593cbddc46609f29/Mac/BuildScript/resources/ReadMe.rtf#L22-L34

Note - this might only be required for mac - see https://github.com/python/cpython/blob/e05a703848473b0365886dcc593cbddc46609f29/Mac/BuildScript/build-installer.py#L239-L246

[Tieske]

yes, httpie would use it.

[Tieske]

so could we add the certs to ./.pongo/ca-certs/, and then adapt the dockerfile to copy them in and do the cert dance as described.

[Tieske]

hmmm... maybe not. The ./.pongo/ folder is plugin specific, but the generated image is system wide.

So we'd need to add a system-pongo directory for config options.

[tomereli]

As Pongo Dockerimage extends Kong - I assume the same will be needed in other images, in which case don't you think adding the ca-certs in the kong base-image and propagating them as user supplied argument or some other means from every derived tool is better?

[tomereli]

hmmm... maybe not. The ./.pongo/ folder is plugin specific, but the generated image is system wide.

So we'd need to add a system-pongo directory for config options.

Does that mean you will add the certificates into the pongo repository instead of letting users pass them as env vars / command line arguments?

I think something like pongo run --ca-certs ~/my_certs will cover all usecases and keep it generic.

[Tieske]

But then it might be better to generate a custom Kong image (not a Pongo responsibility), and pass that in as $KONG_IMAGE.

Though #454 indicates that it might have issues...

[tomereli]

But then it might be better to generate a custom Kong image (not a Pongo responsibility), and pass that in as $KONG_IMAGE.

Though #454 indicates that it might have issues...

Sounds legit. #454 would need to be addressed first though.

[Tieske]

@tomereli have you considered using the PONGO_DOCKER_FILE environment variable? see pongo build --help.

[Tieske]

@tomereli here's a different approach: #509

• httpie becomes optional
• curl disables verification during the build

could this work for you?