[jira] [Work logged] (KNOX-3085) Metadata API should return the certificate chain (if any) instead of only the configured Knox instance certificate

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3085?focusedWorklogId=953762&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-953762
 ]

ASF GitHub Bot logged work on KNOX-3085:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Jan/25 01:46
            Start Date: 23/Jan/25 01:46
    Worklog Time Spent: 10m 
      Work Description: pzampino opened a new pull request, #988:
URL: https://github.com/apache/knox/pull/988

   ## What changes were proposed in this pull request?
   
   Modify the Metadata API to return the certificate chain when a load balancer 
is between Knox and its clients.
   
   ## How was this patch tested?
   
   Unit tests and manual tests with a LB in front of Knox.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 953762)
    Time Spent: 1h  (was: 50m)

> Metadata API should return the certificate chain (if any) instead of only the 
> configured Knox instance certificate
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-3085
>                 URL: https://issues.apache.org/jira/browse/KNOX-3085
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Philip Zampino
>            Assignee: Philip Zampino
>            Priority: Major
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Currently if you hit the Knox metadata API, it will return the 
> locally-configured Knox certificate. This works great if there is nothing 
> between the client and Knox. When a LB is in the middle, the returned 
> certificate is incorrect. The certificate that should be returned is one for 
> the endpoint that is accessed. This means we should try to return the LB 
> certificate if there is a LB.
> Since we know what URL was accessed to hit the metadata API, Knox itself 
> should be able to grab the certificate chain for that host:port and return 
> the PEM and JKS version of it. This will require basically doing an `openssl 
> s_client -connect host:port` from Java and converting into the correct 
> format. Conveniently, the Knox CLI has something like this today that 
> downloads the Knox certificate. We should be able to reuse the same logic in 
> the metadata API and return the correct certificate information.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)