[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem creating applications from in-house git



you'd write a dockerfile like:

FROM openshift/php-55-centos7
ADD mycert /etc/pki/tls/certs/ca-bundle.crt

then you'd docker build that Dockerfile, push the new image to a registry and reference it from your BuildConfig (either directly or by creating an ImageStream for it)


On Sun, Aug 23, 2015 at 4:00 PM, Boris Kodel <boris kodel gmail com> wrote:
So if I understand you correctly I should build a custom image based on an existing sti image such as https://github.com/openshift/sti-php/blob/master/5.5/Dockerfile.rhel7? I believe that I can add my CA if I modify the base image (base-rhel7) and rebuild.
Alternatively I can add an "ADD myca.crt /etc/pki/tls/certs/ca-bundle.crt" instruction to the above Dockerfile.

Which of the above options do you recommend? I guess the first option is more generic thus preferred.

Meanwhile I tried a simpler approach - executing /bin/bash in the openshift/php-55-centos7 image and adding the CA manually, but this failed since I was unable to get root privileges. Is it even possible to run commands as root in the sti images?

Finally I feel the best solution to this issue would be to automatically mount the CA bundle from the host for all containers (the same way the /ets/hosts and /etc/resolv.conf are mounted). This would work for me since my host machine is already configured to trust the CA.
Is this solution feasible with docker (via the options in sysconfig) or the current version of openshift?


On Sun, Aug 23, 2015 at 8:58 PM, Clayton Coleman <ccoleman redhat com> wrote:
The easiest way today is to embed your CA inside the builder image
(openshift/docker-builder or openshift/sti-builder).  You can also
deliver the CA as a secret on the builder service account and then
symlink it in your layer into the right location in the builder.

There's some work going on this sprint to add a CA option to builders
(or make it easier to add a set of secrets).


> On Aug 23, 2015, at 1:19 PM, Boris Kodel <boris kodel gmail com> wrote:
>
> Hello,
> I have recently deployed openshift v3 origin in our closed (off-line) environment.
> Unfortunately I am unable to create a new application from code when the code is pulled from our in-house gitlab deployment.
>
> After inspecting the build logs I have discovered that the build pods does not trust our git server certificate issuer. This makes sense since we use an in-house certificate authority.
>
> My question is, how can I configure the builder image to trust our local CA?
>
>
> Best Regards,
> Boris.
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]