| Age | Commit message (Collapse) | Author |
|---|
|
Currently, we do not verify the TLS certificate for API requests
external IPAM and DNS integration. This could allow man-in-the-middle
attacks, albeit most IPAM infrastructure is on controlled and isolated
LANs, so it's not something that should frequently happen; and
technically our IPAM integration is still marked as tech-preview,
which had its reasons.
Enforce verification, and allow users to pass a cert SHA256
fingerprint to ensure a certificates validity if it's not trusted by
the system trust store, as it's, e.g., the case for self-signed certs.
The code was adapted from the one in pve-apiclient, which we cannot
reuse directly as it is only implemented for requests against PVE
nodes, not as a generic HTTP client request helper.
Add the new dependency `libio-socket-ssl-perl` required to get the
verify callback for the TLS certificate used for cert-fingerprint
checking.
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
[TL: return valid for non-leaf certs and rewrite commit message]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
Avoid using a regex if we have a builtin function ready to use.
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
[TL: touch up commit message]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com>
[TL: drop all other unused Dumper use statements]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
The conditional assignment caused falsy values to be converted to
undef when comparing them. This led to the behavior that configuration
values that are interpreted by perl as falsy would get wrongly
compared and always show up as pending changes.
As an example the 'bgp-multipath-as-path-relax' or 'ebgp' keys of the
bgp controller configuration are booleans and get stored as 0 in the
controller configuration when they're turned off. They always showed
up as a pending change, because of the behavior described above.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
|
|
We only setup proxies from the environment previously, but also check
the one configured in the cluster-wide datacenter.cfg and prefer that
over anything else.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
|
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
This is needed so dhcp-ranges are properly displayed as changed in the
web UI.
Also took the chance to properly indent the encode_value function with
our indentation scheme.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Tested-by: Hannes Duerr <h.duerr@proxmox.com>
|
|
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
new path is /zones/<zone>/<vnetid>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
|
|
like almost all of our repos do nowadays, modern git can detect such
things on rebase so in development stuff should be hopefully not too
much affected by this.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
