csantanapr commented on issue #2427: Support client certificate on cli and nginx URL: https://github.com/apache/incubator-openwhisk/pull/2427#issuecomment-311660489 Initial set of comments: I think is a great idea to have an extra level of security from client to apihost. A few comments for discussion: ## UX I think to having the user needing to configure the wsk CLI with a cert and a key properties on top of auth key is going to be a pain. Why not have the cert and key be compiled as a resource into the wsk CLI binary? This way user only need to set the `auth` property For dev, I agree using `--insecure | -i` then you can use the any wsk CLI binary with any apihost. Maybe is a good idea to still allow property set for `cert` and `key` as an easy way to override in cases operators or contributors quick test different of certs/keys saving the time to re-compile ### Docs Hopefully for users no Docs :-), this change would be transparent in production, user will just get the binary from the openwhisk provider/operator by downloading for example for the same apihost edge (i.e. cli/go/download/mac/amd64/OpenWhisk_CLI-mac.zip) where the binary will already have the client cert burned in, and backend can validate that the binary being used is a trusted source. I think we still needs some documentation for contributors/operators on how to configure, test, change the settings (i.e. key size, algorithm, etc..) etc to make client and backend configured properly. ### Operations/Deployment I think we need to roll this in in a way that is toggle-featured, to give time operators currently using the ansible config/files as is a chance to adapt and setup their nginx and front doors. Also toggled in the CLI. This way people can try it out from master without being the default. ### Testing I don't see negative tests, if the cert or key are wrongly configured, test the expected errors is shown and no access. have multiple of this, creating a cert with correct keys, but wrong expiration date, etc.. different combination making sure if, this could also be be feature toggle via gradle task/config ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
With regards, Apache Git Services
