Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Airgap Process for NPM #15501

Closed
tsmaeder opened this issue Dec 17, 2019 · 8 comments
Closed

Document Airgap Process for NPM #15501

tsmaeder opened this issue Dec 17, 2019 · 8 comments
Labels
area/languages Issues related to Language extensions or plugins integration. kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Milestone
Backlog - Languages

Comments

@tsmaeder
Copy link
Contributor

Test and document the process of setting up an airgap solution for NPM. In particular, configure a workspace based on our default nodejs devfile to use a npm repository that uses a self-signed certificate.
@tsmaeder tsmaeder added the kind/task Internal things, technical debt, and to-do tasks to be performed. label Dec 17, 2019
@tsmaeder
Copy link
Contributor Author

Instructions should be attached to this issue.

@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Dec 17, 2019
@tsmaeder tsmaeder mentioned this issue Dec 17, 2019
Closed
8 tasks
@nickboldt
Copy link
Contributor

Related: #14857

@tsmaeder tsmaeder added area/languages Issues related to Language extensions or plugins integration. team/languages and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Dec 17, 2019
@l0rd l0rd added the severity/P1 Has a major impact to usage or development of the system. label Dec 17, 2019
@tsmaeder tsmaeder added this to the Backlog - Languages milestone Dec 18, 2019
@tsmaeder tsmaeder mentioned this issue Dec 18, 2019
Closed
28 tasks
@tsmaeder tsmaeder mentioned this issue Jan 8, 2020
Closed
35 tasks
@tsmaeder tsmaeder mentioned this issue Jan 23, 2020
Closed
36 tasks
@tsmaeder tsmaeder mentioned this issue Feb 18, 2020
Closed
34 tasks
@sunix
Copy link
Contributor

sunix commented Mar 9, 2020
edited
Loading

@tsmaeder these are the important informations to setup a npm registry with selfsigned certificate, using devfile at the moment. The next comment is the complete steps to setup a test environment and check that these are actually working.

Npm airgap devfile

Having that you have a remote NPM private registry and the npm https://registry.npmjs.org. is not accessible from your network.

In your npm project devfile:

  1. Zip your certificate and make it available through http to your workspace (tls.crt in our example).
  2. Import your zip into the workspace from the devfile: 
    - source:
   type: zip
   location: 'https://github.com/sunix/che-quarkus-demo/releases/download/nexus/config-nexus.zip'
 name: config-nexus
  3. Add to the component where the npm commands will be executed, providing your npm registry location and the certificate location previously downloaded
 env:
  - name: NODE_EXTRA_CA_CERTS
    value: "/projects/config-nexus/tls.crt"
  - name: NPM_CONFIG_REGISTRY
    value: "https://snexus-airgap.apps.acme.com/repository/npm-proxy/"

@sunix
Copy link
Contributor

sunix commented Mar 10, 2020
edited
Loading

Setup Test environment

Setup Nexus

Here, I will describe how I install Nexus to test my configuration. The Nexus will be installed through an operator in Openshift 4.2.

Install the operator

From the the openshift 4.2 console, as an admin,

  • Create a airgap project,

  • install nexus3 operator from the operatorhub
    image

  • Create Nexus by going to Installed Operators and the Nexus tabimage

  • Once nexus is started, access to nexus
    image

  • Login as admin, you can get to the generated admin password which is located in /nexus-data/admin.password of the nexus pod

  • Change the admin password from nexus profile.

Create a proxy repo

Create a nexus repository for NPM. Select proxy to https://registry.npmjs.org. Block outbound connections on the repository for now. (we are going to test that we are really offline)

Copy the repo URL that we are going to use just next.

Start the test workspace

Start a workspace from this devfile:

https://gist.github.com/sunix/00f890965f04620139e616fbcba75444

This devfile will set user.home to /project for the quarkus-backend-dev container.

Test offline

Remove the file `postit-app/node-frontend` package-lock.json` (or any lock file that may contain informations about registries where to download a dependency)

In the container `node-frontend-dev` open the terminal

npm config set registry http://nexus3-airgap.apps.cluster-paris-8905.paris-8905.example.opentlc.com/repository/npm-proxy/

cd /projects/postit-app/node-frontend; npm install

Npm build is failling as we blocked internet from nexus (won’t mirror)

image

The file we have changed is:

cat ~/.npmrc

registry=http://nexus3-airgap.apps.cluster-paris-8905.paris-8905.example.opentlc.com/repository/npm-proxy/

TODO try: NPM_CONFIG_REGISTRY

But doesn’t work if need auth ...

Checking Language Server

Nothing to do as the plugin is do not download any dependencies. User would have to perform a `npm install` manually from the terminal or task.

Checking NPM command line

Re-enable the proxy to connect to internet
image

Retry a build

image

Setup TLS with self signed certificate for Nexus

Configure Nexus with TLS and self-signed certificate

We are going to add a new route with tls and a self signed certificate that we create:

Create the certificate (adapt the CN with your hostname)

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
 -keyout tls.key -out tls.crt -subj '/CN=acme.com' \
 -addext 'subjectAltName=DNS:*.apps.acme.com'

or if openssl version < 1.1.1

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout tls.key -out tls.crt -subj '/CN=opentlc.com' \
 -extensions san \  
 -config <(echo '[req]'; echo 'distinguished_name=req'; \
echo '[san]'; echo 'subjectAltName=DNS:*.apps.cluster-paris-8905.paris-8905.example.opentlc.com')

Notes:

Create a new route in the project where the nexus operator cluster is deployed:

$ oc project airgap
$ oc create route edge snexus --service=nexus3 --cert=tls.crt --key=tls.key
$ oc describe Route snexus
Name: snexus
Namespace: airgap
Created: 14 seconds ago
Labels: app=nexus3
Annotations: openshift.io/host.generated=true
Requested Host: snexus-airgap.apps.acme.com
exposed on router default (host apps.acme.com) 14 seconds ago
Path: <none\>
TLS Termination: edge
Insecure Policy: <none\>
Endpoint Port: http
Service: nexus3
Weight: 100 (100%)
Endpoints: 10.128.2.18:8081

Configure NPM to use the Secured Nexus (with self-signed certificate)

Change the registry url to point to the secured one

npm config set registry https://snexus-airgap.apps.cluster-paris-8905.paris-8905.example.opentlc.com/repository/npm-proxy/

Remove node_modules folder and try to rebuild it

image

It fails as expected: we have not uploaded the certificate and told NPM to use it

Upload tls.crt and set the env variable:

export NODE_EXTRA_CA_CERTS=/projects/config-nexus/tls.crt
export NPM_CONFIG_REGISTRY=https://snexus-airgap.apps.cluster-paris-8905.paris-8905.example.opentlc.com/repository/npm-proxy/

Npm airgap devfile

Having that you have a remote NPM private registry and the npm https://registry.npmjs.org. is not accessible from your network.

In your npm project devfile:

  1. Zip your certificate and make it available through http to your workspace.
  2. Import your zip into the workspace from the devfile:
- source:  
    type: zip  
    location: 'https://github.com/sunix/che-quarkus-demo/releases/download/nexus/config-nexus.zip'  
    name: config-nexus
  1. Add to the component where the npm commands will be executed, providing your npm registry location and the certificate location previously downloaded
env:  
  - name: NODE_EXTRA_CA_CERTS  
    value: "/projects/config-nexus/tls.crt"  
  - name: NPM_CONFIG_REGISTRY  
    value: "https://snexus-airgap.apps.acme.com/repository/npm-proxy/"

@tsmaeder
Copy link
Contributor Author

@sunix what about authenticated access to the registry?

@tsmaeder
Copy link
Contributor Author

@sunix why not use NPM_CONFIG_CAFILE? That would be in keeping with the rest of the documented procedures.

@sunix
Copy link
Contributor

sunix commented Mar 16, 2020

@tsmaeder not sure ... I think i've tried but it wasn't working ... nodejs/node-gyp#695 (comment)

@ericwill
Copy link
Contributor

Is there anything left to document here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/languages Issues related to Language extensions or plugins integration. kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
Backlog - Languages
Development

No branches or pull requests
6 participants
@nickboldt @l0rd @sunix @ericwill @tsmaeder @che-bot