feat: Allow using self-signed certificates in HTTPS health tests #39
Conversation
|
It seems there are some issues relevant to newer Rust compiler. If this looks 👌 I'm happy to submit another PR solving the Rust lints and rebase this one on top of the other. Edit: Fixed issues in #41. |
|
the #41 PR is merged, you can rebase on top of main |
ilaborie
left a comment
ilaborie
left a comment
There was a problem hiding this comment.
👏 Very good suggestion
Just update the PR with these small changes to let the user opt-in to validate certificate:
- Add the
require_valid_certs: boolattribute in theWaitStrategy::HttpSuccessvariant. - use this field here
- document to explain that for testing purpose the default value is allowing invalid certificate.
rustainers/src/runner/inner.rs
Outdated
| ); | ||
| let Ok(response) = reqwest::get(&url).await else { | ||
| let Ok(client) = reqwest::ClientBuilder::new() | ||
| .danger_accept_invalid_certs(true) |
There was a problem hiding this comment.
That's too dangerous, I understand the use case, so I think we should allow the use to choose if this value.
There was a problem hiding this comment.
Excellent feedback - exactly what I was looking for!
document to explain that for testing purpose the default value is allowing invalid certificate.
If the option is there I'm okay with having require_valid_certs: true as the default (I'd just set it to false in my code).
I assume you're talking about WaitStrategy::https function?
Usually, the container's HTTPS ports use self-signed certificates instead of real ones. This makes the HTTPS health check always fail and be retried. This PR allows self-signed certificates for health checks by adding the `require_valid_certs` configuration field to `WaitStrategy`. Signed-off-by: Wiktor Kwapisiewicz <[email protected]>
wiktor-k
force-pushed
the
wiktor-k/allow-using-self-signed-certs
branch
from
fe96865 to
95b4b09
Compare
2 participants
Usually, the container's HTTPS ports use self-signed certificates instead of real ones. This makes the HTTPS health check always fail and be retried.
This PR allows self-signed certificates for health checks.
I think for health-checks it's an acceptable trade-off but I'm open for getting even better ideas that solve the underlying problem (HTTPS health-checks being almost useless).
Thanks for your time! 👋