batchchanges: Load custom certs into the http client used to create GitHub Apps#55084
Conversation
|
Codenotify: Notifying subscribers in CODENOTIFY files for diff 228f2fa...6faa5b9.
|
…p can only do commit signing
courier-new
left a comment
There was a problem hiding this comment.
Great! 🙌 Just left some feedback about duplicating the new docs section in the repo-syncing GH App docs, too. You should definitely add a CHANGELOG entry for this, too. 😄
|
|
||
| ### Custom Certificates | ||
|
|
||
| If you are using a self-signed certificate for your GitHub Enterprise instance, configure `tls.external` under `experimentalFeatures` |
There was a problem hiding this comment.
This configuration step for self-signed certificates would also be required for normal repo-syncing GitHub App set up, right? If so, we probably should double up this section on doc/admin/external_service/github.md (you. might have noticed, the GH Apps part of that doc and this one share the exact same structure and contents, this one's just tailored for any BC-specific nuances and language).
There was a problem hiding this comment.
Ah, thank you. I forgot about that doc. I'll copy this section to there as well.
|
|
||
| ### Custom Certificates | ||
|
|
||
| If you are using a self-signed certificate for your GitHub Enterprise instance, configure `tls.external` under `experimentalFeatures` |
There was a problem hiding this comment.
Separately, is this experimental feature documented elsewhere? I take from this PR that it's pre-existing functionality, so it'd be cool if we could link to any additional details about it here so an admin could understand where else the cert might be used in SG.
There was a problem hiding this comment.
Unfortunately it is not documented anywhere. I dug into when it was first introduced. It was added on Jan 13, 2020 (commit 42ec4ab1).
It probably not an experimental feature anymore 😀
There was a problem hiding this comment.
Ah yes, probably not. 😂 Okay, maybe log an issue to GA and document it and call it good? Idk if that's "Code Search" territory or not lol but at least then we'll have a record about this conversation. 😛
There was a problem hiding this comment.
lol sounds good I'll create an issue and see where it falls
…itHub Apps (#55084) Previously, we were using Go's default HTTP Client (`http.DefaultClient`) to invoke GitHub to create GitHub apps. This client does not work with custom certificates that may need to be used if calling an on-prem GitHub instance. ### Changes * Updated to use our `httpcli.UncachedExternalClientFactory` instead of `http.DefaultClient` * This gives us access to logging, tracing, etc... out of the box * Loading certs that are configured in `experimentalFeatures.tls.external.certificates` into the HTTP client * This happpens automagically with `httpcli.UncachedExternalClientFactory`. It has an option called `ExternalTransportOpt` that loads the certs from `tls.external` (see recording to see this in action) ## Test plan Added new tests and tested manually. (cherry picked from commit 97fad93)
…sed to create GitHub Apps (#55238) Previously, we were using Go's default HTTP Client (`http.DefaultClient`) to invoke GitHub to create GitHub apps. This client does not work with custom certificates that may need to be used if calling an on-prem GitHub instance. ### Changes * Updated to use our `httpcli.UncachedExternalClientFactory` instead of `http.DefaultClient` * This gives us access to logging, tracing, etc... out of the box * Loading certs that are configured in `experimentalFeatures.tls.external.certificates` into the HTTP client * This happpens automagically with `httpcli.UncachedExternalClientFactory`. It has an option called `ExternalTransportOpt` that loads the certs from `tls.external` (see recording to see this in action) ## Test plan Added new tests and tested manually (see below for recordings) ### Creating an app https://github.com/sourcegraph/sourcegraph/assets/38407415/ffb78a7b-43a1-41bf-b22e-b2e9f595122f ### Validation of custom certs being loaded https://github.com/sourcegraph/sourcegraph/assets/38407415/47135e09-1fad-4086-82ce-056d4067e386 <br> Backport 97fad93 from #55084 Co-authored-by: Randell Callahan <piszmogcode@gmail.com>
…itHub Apps (#55084) Previously, we were using Go's default HTTP Client (`http.DefaultClient`) to invoke GitHub to create GitHub apps. This client does not work with custom certificates that may need to be used if calling an on-prem GitHub instance. ### Changes * Updated to use our `httpcli.UncachedExternalClientFactory` instead of `http.DefaultClient` * This gives us access to logging, tracing, etc... out of the box * Loading certs that are configured in `experimentalFeatures.tls.external.certificates` into the HTTP client * This happpens automagically with `httpcli.UncachedExternalClientFactory`. It has an option called `ExternalTransportOpt` that loads the certs from `tls.external` (see recording to see this in action) ## Test plan Added new tests and tested manually.
Previously, we were using Go's default HTTP Client (
http.DefaultClient) to invoke GitHub to create GitHub apps. This client does not work with custom certificates that may need to be used if calling an on-prem GitHub instance.Changes
httpcli.UncachedExternalClientFactoryinstead ofhttp.DefaultClientexperimentalFeatures.tls.external.certificatesinto the HTTP clienthttpcli.UncachedExternalClientFactory. It has an option calledExternalTransportOptthat loads the certs fromtls.external(see recording to see this in action)Test plan
Added new tests and tested manually (see below for recordings)
Creating an app
Screen.Recording.2023-07-18.at.14.02.22.mov
Validation of custom certs being loaded
Screen.Recording.2023-07-19.at.10.34.45.mov