Introduction :
Corporate proxies have room for improvement in some organisations because they block and intercept any encrypted traffic. It invalidates the TLS/SSL certificate, so most tools will fail. This is the case for localstack https://www.localstack.cloud/, a very useful tool to simulate object storage and Lambda functions.
Steps :
Get the root certificate.
First, extract your root certificate, open Windows, then search for "Certificate", or use Run and type certlm.msc or certsrv.msc. Under root, you will find the certificate of your company :
Create a new docker image
The first thing we need to do is to create a new Docker image from localstack and add our certificate within . So copy the certificate in the same repository as your Dockerfile. Create a Dockerfile with the following code ( in my case, my certificate is FHVI_root.cer ):
FROM localstack/localstack:latest
COPY ./FHVI_root.cer /usr/local/share/ca-certificates/cert-bundle.crt
RUN update-ca-certificates
ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
Create a docker image with a new name ( in my case localstackfhvi) using the following command :
docker build -t localstackfhvi .
Compose and run the new container
Then, create a docker-compose.yml file with the following code :
version: "3.11"
services:
localstack:
container_name: "${LOCALSTACK_DOCKER_NAME:-localstack-main}"
image: localstackfhvi
ports:
- "127.0.0.1:4566:4566" # LocalStack Gateway
- "127.0.0.1:4510-4559:4510-4559" # external services port range
environment:
# LocalStack configuration: https://docs.localstack.cloud/references/configuration/
- DEBUG=${DEBUG:-0}
- SKIP_SSL_CERT_DOWNLOAD=1
- ACTIVATE_PRO=0
volumes:
- "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
- "/var/run/docker.sock:/var/run/docker.sock"
Now run the docker-compose file using :
docker compose up
Test it with aws cli
Now type :
aws --endpoint-url=http://localhost:4566 kinesis list-streams
You should get an empty list as a result.
Alternatively, you can store the configuration on your profile so you don't have to
type it every time.
The credential file is stored on C:\Users\USERNAME\.aws\credentials
For localstack the file will be :
[localstack]
aws_access_key_id = test
aws_secret_access_key = test
Then there is the config file C:\Users\USERNAME\.aws\config with the following content :
[profile localstack]
region = us-east-1
output = json
Now let's create a bucket "test" with the AWS cli :
aws s3 mb s3://test --profile localstack
Use the following command to list your bucket :
aws s3 ls --profile localstack
Conclusion
Modern data stack has dependencies and auto-updates at its heart,
consequently, some sub-sub processes will try to download new libraries and fail
because of a certificate error.
This is where the cloud shines by offering an industrialised platform with normalized
configuration, allowing time to be spent on valuable tasks.
Working on any modern data stack behind a corporate proxy with TLS interception is
a drag-out process. The extra time required is very difficult to justify to a non-technical/management
person, so be wary about its impact on the perception of your performance.
Aucun commentaire:
Enregistrer un commentaire