stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Imesh Gunaratne <im...@apache.org>
Subject Re: Cartridge deployment can't access private git repository with custom CA certificate
Date Fri, 27 Mar 2015 03:48:42 GMT
Hi Ricardo,

This is how we send Git credentials to the instance:

- We do not send Git credentials in the payload due to security reasons.
- Git password is encrypted using an auto-generated key.
- The above key is sent in the payload.
- Git credentials are sent in the Artifact Updated event.
- Cartridge agent listen to above event and execute the Git clone/pull.

If you could share the cartridge agent log which might be located in
/var/logs/apache-stratos/ folder, we should be able to investigate this
further.

Thanks

On Thu, Mar 26, 2015 at 3:33 PM, Ricardo Carvalho <
Ricardo.Carvalho@identity.pt> wrote:

>  Hi Chamila
>
>
>  Thanks for the suggestion, but the access is configured for HTTPS. The
> problem now is that I can't find the repo credentials anywhere in the
> payload, even when I try submiting them both through the web interface and
> the CLI tool. I also tried manually adding them to the .git/config file,
> but since that folder is constantly being overwritten by the Artifact
> Coordenator, all changes are overwritten.
>
>
>  Any help is appreciated.
>
> Ricardo Carvalho
>  ------------------------------
> *De:* Chamila De Alwis <chamilad@wso2.com>
> *Enviado:* 25 de março de 2015 15:36
>
> *Para:* dev
> *Assunto:* Re: Cartridge deployment can't access private git repository
> with custom CA certificate
>
>  Hi Ricardo,
>
>  AFAIR in Stratos 4.0.0, only git clone over HTTPS is supported with
> Username and Password credentials. If it is possible please configure the
> git server for access over HTTPS.
>
>
>  Regards,
>  Chamila de Alwis
>  Software Engineer | WSO2 | +94772207163
>  Blog: code.chamiladealwis.com
>
>
>
> On Wed, Mar 25, 2015 at 6:38 PM, Ricardo Carvalho <
> Ricardo.Carvalho@identity.pt> wrote:
>
>>  Hi Imesh
>>
>>
>>  Now that you mention it, I noticed there were no credentials in the
>> payload, both when I subscribed through the web interface and when I used
>> "subscribe-cartridge" in the command-line tool.
>>
>>
>>  Should I just add them to the launch-params file in the cartridge
>> instance? Or am I missing something in configuring Apache Stratos?
>>
>>
>>  Thank you for your support
>>
>> Ricardo Carvalho
>>  ------------------------------
>> *De:* Imesh Gunaratne <imesh@apache.org>
>> *Enviado:* 25 de março de 2015 00:31
>> *Para:* dev
>> *Assunto:* Re: Cartridge deployment can't access private git repository
>> with custom CA certificate
>>
>>   Hi Ricardo,
>>
>>  It's nice to hear that you are trying to use Stratos 4.0.0.
>>
>>  I cannot recall whether we used a certificate to talk to the private
>> Git repository from Cartridge Agent but I know for sure that we need Git
>> repository credentials. Can you please check whether the Cartridge Agent
>> has received Git repository credentials in the payload?
>>
>>  Thanks
>>
>> On Tue, Mar 24, 2015 at 11:19 PM, Ricardo Carvalho <
>> Ricardo.Carvalho@identity.pt> wrote:
>>
>>>  Hi everyone.
>>>
>>>
>>>  I've followed the 4.0.0 installation guide and have managed to
>>> successfully deploy several php and load balancer cartridges on an
>>> Openstack environment. However, a custom certificate is needed to access
>>> the private git repo I indicated as the artifact source  when deploying,
>>> and the cartridge agent is failing when trying to access this git repo.
>>>
>>>
>>>  I added the certificate to /etc/ssl/certs/ca-certificates.crt, and can
>>> then use git clone directly inside the cartridge instance with no problems.
>>> I tried adding the same certificate to the client-truststore.jks keystore
>>> and even to the wso2carbon.jks in the Apache Stratos VM, but I still get
>>> the following errors:
>>>
>>>
>>>  INFO CartridgeAgent Executing git checkout
>>> 2015-03-24 15:47:34,849 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> Initializing git context.
>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> local path /var/www/
>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> remote url <private repo URL redacted>
>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> tenant -1234
>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> Repo path returned : /var/www/
>>> 2015-03-24 15:47:34,935 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>> caching repo context
>>> 2015-03-24 15:47:35,584 [-] [Thread-4] ERROR GitBasedArtifactRepository
>>> Accessing remote git repository failed for tenant -1234
>>> org.eclipse.jgit.api.errors.TransportException: <private repo URL
>>> redacted>: not authorized
>>>         at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
>>>         at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:179)
>>>         at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)
>>>
>>>
>>>  What's the best way to add a custom CA certificate to a cartridge so
>>> that it can access a private git repository that requires it?
>>>
>>>
>>>  Thank you for all your hard work
>>>
>>> Ricardo Carvalho
>>>
>>
>>
>>
>>  --
>>  Imesh Gunaratne
>>
>> Technical Lead, WSO2
>> Committer & PMC Member, Apache Stratos
>>
>
>


-- 
Imesh Gunaratne

Technical Lead, WSO2
Committer & PMC Member, Apache Stratos

Mime
View raw message