Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple options for configuring RavenDB client certificate #4767

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Multiple options for configuring RavenDB client certificate #4767

wants to merge 5 commits into from
+89 −30

Conversation

DavidBoike
Copy link
Member

@DavidBoike DavidBoike commented Jan 31, 2025
edited
Loading

Adds the following configuration options as environment variables for connecting to external RavenDB instances, generally for use when deployed as a container:

  • RAVENDB_CLIENTCERTIFICATEPATH: Provide a path to the client certificate, for example, to a path loaded in a mounted secrets volume.
  • RAVENDB_CLIENTCERTIFICATEBASE64: Provide the client certificate as a Base64-encoded string.
  • RAVENDB_CLIENTCERTIFICATEPASSWORD: If using a password-protected *.pfx certificate, supply the password to read it. If using a non-protected certificate, do not include this option.

If the certificate path or Base64 options are not used, the app will still look for a certificate in a static path in the application root. When deployed as a container, this path is /app/raven-client-certificate.pfx.

@DavidBoike DavidBoike changed the title Allow specifying RavenDB client certificate via environment variable Multiple options for configuring RavenDB client certificate Jan 31, 2025
@DavidBoike DavidBoike self-assigned this Jan 31, 2025
@DavidBoike DavidBoike added this to the 6.3.0 milestone Jan 31, 2025
danielmarbach
danielmarbach approved these changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@danielmarbach danielmarbach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The things mentioned are just suggestions

src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs Outdated Show resolved Hide resolved
src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs
public class ServerConfiguration
using ServiceControl.RavenDB;

public class ServerConfiguration : IRavenClientCertificateInfo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't hesitate to ignore. I do not find the interface is particularly helpful. We could also just have a record/class encapsulating these settings that is then passed to the reader code

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I was lazy and didn't want to do extra mapping.

src/ServiceControl.RavenDB/RavenClientCertificate.cs
{
try
{
var bytes = Convert.FromBase64String(certInfo.ClientCertificateBase64);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, it is probably better to throw when the values are not valid instead of falling back to reading the other variables

src/ServiceControl.RavenDB/RavenClientCertificate.cs Show resolved Hide resolved
@DavidBoike DavidBoike mentioned this pull request Jan 31, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielmarbach danielmarbach danielmarbach approved these changes

Assignees

@DavidBoike DavidBoike

Labels
Improvement
Projects
None yet
Milestone
6.3.0
Development

Successfully merging this pull request may close these issues.

When using a RavenDB PaaS it's impossible to use a RavenDB client certificates stored in Azure KeyVault
2 participants
@DavidBoike @danielmarbach