Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow SSL certs to be defined per repository host #9299

Open
TheFriendlyCoder opened this issue Apr 11, 2024 · 0 comments
Open

Allow SSL certs to be defined per repository host #9299

TheFriendlyCoder opened this issue Apr 11, 2024 · 0 comments
Labels
kind/feature Feature requests/implementations status/triage This issue needs to be triaged

Comments

@TheFriendlyCoder
Copy link

Issue Kind

Brand new capability

Description

Right now it is possible to set SSL certs for specific repositories (certificates..cert:) or globally (ie: via REQUESTS_CA_BUNDLE), but there doesn't seem to be a way to set the same SSL cert for all repos hosted on the same server. This presents a problem when you are hosting multiple private repositories using a tool like Artifactory or similar, and the server itself uses a self signed or privately signed SSL certificate.

Use case 1:
If you have separate repositories per-team, then you need to set SSL overrides for each team repository, even though they all share the same cert

Use case 2:
When you have the ability to host user defined repositories for specific use cases, temporary development work, or personal use / forks, then it becomes difficult to ensure that every newly created repository has an appropriate SSL override set

Use case 3:
The previous 2 use cases become more complex if you have multiple private repository servers, each with their own separate SSL certs. Then you have to account for the multiplicity problem (ie: setting multiple SSL cert overrides for each server).

To help avoid this unnecessary duplication / maintenance overhead, it would be nice if Poetry allowed the assignment of custom cert bundles on a per-host basis rather than on a per-repository basis. If we could do something like "certificates.hostname.cert=/path/to/cert/file" and have that setting apply to ANY repository hosted on the given hostname it would make configuration and maintenance much simpler.

Impact

This makes it difficult if not impossible to create system-wide configurations (ie: on CI builds for example) to interact with these repositories. If the available repositories change over time, then it becomes hard to maintain custom overloads for the SSL certs for each repo as they change.

Workarounds

None that I am aware of. The best workaround I've come up with is to inject the various SSL certs into the build environment and then pass the responsibility of selecting the correct cert for the correct purpose to the individual project owners, which is fragile, error prone, and difficult to maintain.
@TheFriendlyCoder TheFriendlyCoder added kind/feature Feature requests/implementations status/triage This issue needs to be triaged labels Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Feature requests/implementations status/triage This issue needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TheFriendlyCoder