Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

share system certificate support #2653

Merged
merged 1 commit into from
Feb 12, 2025
Merged

share system certificate support #2653

merged 1 commit into from
Feb 12, 2025

Conversation

ritzk
Copy link
Contributor

@ritzk ritzk commented Feb 12, 2025
edited by VietND96
Loading

User description

Description

support shared system certificate

Motivation and Context

This will allow one drop ca certs to /usr/local/share/ca-certificates via volumes/mount, run update-ca-certificates as a part of postStart, and test against sites secured by self-signed certificates.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I have read the contributing document.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

notes:
https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html
https://github.com/chromium/chromium/blob/main/docs/linux/cert_management.md
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180

PR Type

Enhancement

Description

  • Added support for shared system certificates in Dockerfile.

  • Installed p11-kit and p11-kit-modules for certificate management.

  • Facilitates testing against self-signed certificate-secured sites.

Changes walkthrough 📝

Relevant files
Enhancement
Dockerfile
Add shared system certificate support in Dockerfile           

NodeBase/Dockerfile

  • Added p11-kit and p11-kit-modules packages.
  • Enhanced support for shared system certificates.
  • Updated Dockerfile to include certificate management tools.
    		• +5/-0     
    Need help?
  • Type /help how to ... in the comments thread for any questions about Qodo Merge usage.
  • Check out the documentation for more information.
    •

    @CLAassistant
    Copy link

    CLAassistant commented Feb 12, 2025
    edited
    Loading

    CLA assistant check
    All committers have signed the CLA.

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ No major issues detected

    @qodo-merge-pro Qodo Merge Pro
    Copy link

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Impact
    Security
    Add missing SSL certificate package

    Add the 'ca-certificates' package to ensure proper SSL/TLS certificate
    validation and system-wide certificate management.

    NodeBase/Dockerfile [104-108]

     #==============================
 # shared system certificate support
 #==============================
 p11-kit \
 p11-kit-modules \
+ca-certificates \
    • Apply this suggestion
    Suggestion importance[1-10]: 9

    __

    Why: Adding ca-certificates package is crucial for proper SSL/TLS certificate validation and secure communication. This is a critical security enhancement that complements the existing certificate management tools being added.

    		High

    @ritzk
    Copy link
    Contributor Author

    ritzk commented Feb 12, 2025

    PR Code Suggestions ✨

    Explore these optional code suggestions:
    Category **Suggestion ** Impact
    Security
    Add missing SSL certificate package

    Add the 'ca-certificates' package to ensure proper SSL/TLS certificate validation and system-wide certificate management.

    NodeBase/Dockerfile [104-108]

     #==============================
 # shared system certificate support
 #==============================
 p11-kit \
 p11-kit-modules \
+ca-certificates \
    * [ ]  **Apply this suggestion**

    Suggestion importance[1-10]: 9

    High

    This is already installed

    VietND96
    VietND96 approved these changes Feb 12, 2025
    View reviewed changes
    Copy link
    Member

    @VietND96 VietND96 left a comment

    Choose a reason for hiding this comment

    The reason will be displayed to describe this comment to others. Learn more.

    LGTM!

    @VietND96 VietND96 merged commit e342765 into SeleniumHQ:trunk Feb 12, 2025
    25 of 27 checks passed
    @VietND96
    Copy link
    Member

    Thank you, @ritzk!

    @ritzk
    Copy link
    Contributor Author

    ritzk commented Feb 12, 2025

    To use this, mount the root ca to /usr/local/share/ca-certificates/my-ca-dir using extraVolumeMounts/extraVolumes, and setup postStart

            command: ["/bin/bash", "-c", "sudo ln -sf /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so"]

    ref: #1176

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @VietND96 VietND96 VietND96 approved these changes

    Assignees
    No one assigned
    Labels
    Review effort [1-5]: 1
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    3 participants
    @ritzk @CLAassistant @VietND96