Skip to content
This repository has been archived by the owner on Sep 5, 2023. It is now read-only.

Current cake passport healthcheck is partly incompatible with Kubernetes #17

Closed
almereyda opened this issue Aug 1, 2022 · 5 comments
Closed

Comments

@almereyda
Copy link
Contributor

Despite the application works, it would be nice to see the healthcheck complete without failure, when deploying a security-sensitive application like Passbolt into a cluster.

Here we can track incompatibilities between the two.

Currently these caveats are known to me:

[FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate

Also GPG verification fails. How could one debug this?

[FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.
@AnatomicJC
Copy link
Contributor

Hi @almereyda 👋

Regarding the GPG verification, can you check your keys with these command:

$ gpg --show-keys /path/to/your/public.key
pub   ed25519 2022-08-19 [SC]
      5A244375E7B0B2BC8F380B6CCFA241363242E90F
uid                      My Name <[email protected]>
sub   cv25519 2022-08-19 [E]

The line pub must finish with [SC], it means you can sign and cert.
The line sub must finish with [E], it means you can encrypt.

It is the same with private key, but you will see sec instead of pub

$ gpg --show-keys /path/to/your/private.key
sec   ed25519 2022-08-19 [SC]
      5A244375E7B0B2BC8F380B6CCFA241363242E90F
uid                      My Name <[email protected]>
sub   cv25519 2022-08-19 [E]

If you don't see these [SC] and [E], maybe should you create new server keys. Since 3.6.0 version, you can use Elliptic Curves keys. I put helpful command on my blog: https://jcvassort.open-web.fr/gpg-memo-passbolt/

@AnatomicJC
Copy link
Contributor

Regarding the Let's Encrypt certificate, are you using a traefik container to handle it, as described in the documentation ?

You must be aware than passbolt official container automatically create SSL certificates while booting with www.passbolt.local as hostname and healthcheck is using them.

Unless you mount your own certificates inside the container, the healthcheck will always fail on this point. Healthcheck has been written for servers, not containers, that's why wou have an error about missing passbolt.php configuration file, as with docker, environment variables are used.

@claudio-walser
Copy link
Contributor

Hi Jon

  1. The JWT Healthcheck could possibly be fixed on our side using fsGroup, the only issue is that the folder permissions on /etc/passbolt/jwt are writeable for anybody, even if the volume is finally mounted read-only and you cannot alter anything

  2. As far as I am aware, ssl should be terminated by the ingress in kubernetes. Automatic SSL Certificates are handled over certbot in our case. The pod does run with individual hostnames and the url you configured is at ingress level, thus the URL mismatch if you try to use the certificate mechanism built into the container image.
    In my opinion this is a feature if you run the passbolt container outside of kubernetes. Therefore the healthcheck will always fail I am afraid.

  3. Your third issue, regarding the GPG Verification, i can confirm we do have the same issue in the healthcheck, but still beeing able to properly en- and decrypt within the application.
    I can open a bug ticket at our side to investigate a bit more but I am not sure what we can do, to be honest

@claudio-walser
Copy link
Contributor

@almereyda
I am going to close this issue since there is not much we can do to address the remianing issues, as those should be fixed in the software itself.

Feel free to reopen and thank you for opening the issue in the first place.

@almereyda
Copy link
Contributor Author

What can you do (:

Thanks for trying.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants