[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem creating applications from in-house git





On Sun, Aug 23, 2015 at 8:24 PM, Clayton Coleman <ccoleman redhat com> wrote:


On Aug 23, 2015, at 7:36 PM, Boris Kodel <boris kodel gmail com> wrote:

So if I understand you correctly I should build a custom image based on an existing sti image such as https://github.com/openshift/sti-php/blob/master/5.5/Dockerfile.rhel7? I believe that I can add my CA if I modify the base image (base-rhel7) and rebuild.
Alternatively I can add an "ADD myca.crt /etc/pki/tls/certs/ca-bundle.crt" instruction to the above Dockerfile.

Which of the above options do you recommend? I guess the first option is more generic thus preferred.

Meanwhile I tried a simpler approach - executing /bin/bash in the openshift/php-55-centos7 image and adding the CA manually, but this failed since I was unable to get root privileges. Is it even possible to run commands as root in the sti images?

Finally I feel the best solution to this issue would be to automatically mount the CA bundle from the host for all containers (the same way the /ets/hosts and /etc/resolv.conf are mounted). This would work for me since my host machine is already configured to trust the CA.
Is this solution feasible with docker (via the options in sysconfig) or the current version of openshift?


If all your images are consistently coming from the same base distro (like rhel or centos, or Ubuntu), then it will work, but the paths differ across distros.  

I think it might be reasonable for us to introduce a default symlink in all the origin images that binds the masters CA crt into the default dir.  Then you can set the CA globally.  Ben/Jordan can we make that work?



​i'm afraid i'm not following your symlink suggestion...  what do you mean by "binds the masters CA cert into the default dir"?   Do you mean the host's CA cert bundle?

Do you mean create a symlink in the cert dir that references some arbitrary path, and then when starting those images we'd volume mount the host CA cert into that dir? why wouldn't we just volume mount it directly that case?


 


On Sun, Aug 23, 2015 at 8:58 PM, Clayton Coleman <ccoleman redhat com> wrote:
The easiest way today is to embed your CA inside the builder image
(openshift/docker-builder or openshift/sti-builder).  You can also
deliver the CA as a secret on the builder service account and then
symlink it in your layer into the right location in the builder.

There's some work going on this sprint to add a CA option to builders
(or make it easier to add a set of secrets).


> On Aug 23, 2015, at 1:19 PM, Boris Kodel <boris kodel gmail com> wrote:
>
> Hello,
> I have recently deployed openshift v3 origin in our closed (off-line) environment.
> Unfortunately I am unable to create a new application from code when the code is pulled from our in-house gitlab deployment.
>
> After inspecting the build logs I have discovered that the build pods does not trust our git server certificate issuer. This makes sense since we use an in-house certificate authority.
>
> My question is, how can I configure the builder image to trust our local CA?
>
>
> Best Regards,
> Boris.
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]