Origin: Add an 'Disable SSL check' option for cloning git repositories

Created on 10 Dec 2015 · 15Comments · Source: openshift/origin

When creating an application, we are asked to enter the repo URL, which can use the HTTPS.

Sometimes we use repositories with a self-signed certificate and we just want to use them, mainly in dev environments.

So, it'd be nice to have an option to ignore certificate errors.

Currently the build fails:

E1210 17:26:08.548921 1 git.go:102] Clone failed: fatal: unable to access 'https://repo.git/': Peer's Certificate issuer is not recognized.

componenbuild prioritP2

Source

jwendell

Most helpful comment

hi guys,

I have tried this:
```
oc env bc/my-build GIT_SSL_NO_VERIFY=true
````

and it seems to work with origin 1.5 at least

akram on 18 May 2017

👍9 🎉1

All 15 comments

Pretty sure you can do this via a .gitconfig that you provide in your secret.

see "sslverify=false" as discussed here:
https://docs.openshift.org/latest/dev_guide/builds.html#other-authentication

bparees on 14 Dec 2015

closing since this is already possible, reopen if that solution does not work for you.

bparees on 18 Dec 2015

Please, see in the PR the reasonable.
It's not a mandatory thing, of course. I'm doing this mainly for learning purposes. But this was a real issue I experienced at my first contact with origin :)

BTW, it seems I cannot reopen the issue...

jwendell on 1 Jan 2016

I don't agree the solution given by @bparees (even if it works)

I have many projects and many users which will try to get projects from our gitlab. Each time, users create an application, fill the gitlab url, and see an error. So they have to go to the "build" section, edit YAML, append a sourceSecret and rebuild...

I cannot understand why openshift won't use certificates that are trusted on servers (I was using "trust anchor our_cert.crt" and "curl" doesn't complain, git doesn't complain,...)

There should be a solution to force openshift to not complain about a trusted certificate. And without to create templates...

metal3d on 8 Sep 2016

👍2

Also, note that my error is not from "git.go" but "builder.go":

builder.go:204] Error: build error: fatal: unable to access 'https://XXXXX/pafer/drupal-openshift.git/': Peer's Certificate issuer is not recognized.

(XXXXX is replaced)

metal3d on 8 Sep 2016

I agree with @metal3d , I also have lots of users and projects and it is difficult for them to create secret for each project/app they use.

It should be possible to either have cluster-wide option to disable ssl verification or a better alternative to import ROOT certificate as trusted into the cluster.

bortek on 31 Jan 2017

@metal3d @bortek you can now set GIT_SSL_NO_VERIFY=true as a default env variable in the cluster wide defaults:
https://docs.openshift.org/latest/install_config/build_defaults_overrides.html#manually-setting-global-build-defaults

https://docs.openshift.org/latest/dev_guide/builds.html#trusted-certificate-authorities

bparees on 31 Jan 2017

👍6

@bparees nice ! But I cannot change openshift version for now... At this time I'm using github secret + ssh url. I'll check this as soon as openshift can be updated on my Centos cluster.

Thanks a lot

metal3d on 2 Feb 2017

@bparees anyway, I don't understand why a "self trusted" certificate (internal use) is not trusted with openshift. I tried "trust" command to add our ssl cert (trust anchor our.cert), then when I call our gitlab url with curl, there is no error (witout -k option), so the certificate is trusted by our nodes.

IMHO, openshift should follow the system trusted certicates, isn't it ?

metal3d on 2 Feb 2017

I tried "trust" command to add our ssl cert (trust anchor our.cert), then when I call our gitlab url with curl, there is no error (witout -k option), so the certificate is trusted by our nodes.

the git cloning operations occur within a docker container, that docker container is based on a docker image that does not have your node's trusted certs in it. Hence my link above about how to provide your certs to the container doing the cloning process (https://docs.openshift.org/latest/dev_guide/builds.html#trusted-certificate-authorities)

bparees on 2 Feb 2017

hi guys,

I have tried this:
```
oc env bc/my-build GIT_SSL_NO_VERIFY=true
````

and it seems to work with origin 1.5 at least

akram on 18 May 2017

👍9 🎉1

Does anybody make @bparees solution work?

... you can now set GIT_SSL_NO_VERIFY=true as a default env variable in the cluster wide defaults:

admissionConfig:
  pluginConfig:
    BuildDefaults:
      configuration:
        apiVersion: v1
        env:
        - name: GIT_SSL_NO_VERIFY
          value: 'true'
        - name: HTTP_PROXY
          value: http://proxy.org.local:8080
        - name: HTTPS_PROXY
          value: https://proxy.org.local:8080
        - name: NO_PROXY

and still seeing :

Cloning "https://gitlab.org.uk/openshift-examples/openshift-quickstarts.git" ...
  | error: build error: fatal: unable to access 'https://gitlab.org.uk/openshift-examples/openshift-quickstarts.git/': Peer's certificate issuer has been marked as not trusted by the user.

Modifying BC as per @akram works just fine.

Can it be variables via admission plugin are set just after clone was initiated?
as With @akram solution output is like this:

Cloning "https://gitlab.org.uk/openshift-examples/openshift-quickstarts.git" ...
--
  | Commit: a2ad21169f43bb47a17ffb0fb62f62dc8823f947 (fix formatting in readme)
  | Author: Rob Cernich <[email protected]>
  | Date:   Tue Aug 15 09:59:39 2017 -0600
  | Using HTTP proxy http://proxy.org.local:8080 and HTTPS proxy https://proxy.org.local:8080 for script download

mjudeikis on 29 Aug 2017

@mangirdaz what level of openshift are you on? I think there were some issues historically w/ us not setting the default envs on the pod itself. May only be fixed in 3.6.

https://bugzilla.redhat.com/show_bug.cgi?id=1443187#c11
https://github.com/openshift/origin/pull/13825

bparees on 30 Aug 2017

What about pipeline scripts, how do you set http.verifySSL=false for the ephemeral Jenkins created by OpenShift?