[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Inject Custom CA during builds



Hi Everyone,

I have an OpenShift installation which is sitting behind an appliance which intercepts outbound SSL traffic. Regular machines have the SSL certificate of the appliance installed on them and they are able to access the internet without any issues.

My issue is with during the build; Because OpenShift builds images in containers, thus the container which is building the code doesn't have the SSL certificate of the interceptor installed in it. So grabbing code dependencies from npm, maven or pypi during a build fails because the build tries to connect to the repo manager via HTTPs, but since the CA of the interceptor is not installed in the build container it fails.

My question is: How can I inject the CA certificate of the interceptor in the build container so that the traffic from the interceptor is trusted?

So far I've tried two options but they failed:

Option #1, have customized .s2i/bin/assemble script which downloads the certificate in /etc/pki/ca-trust/source/anchors/ and running update-ca-trust. But this option fails with:

$ oc logs dsqc-4-build
  % Total    % Received % Xferd  Average Speed   Time Time     Time  Current
                                 Dload  Upload   Total Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file Warning: /etc/pki/ca-trust/source/anchors/ZscalerRootCertificate-2048-SHA256.cr
Warning: t: Permission denied
 52  1732   52   901    0     0  14515      0 --:--:-- --:--:-- --:--:-- 14770
curl: (23) Failed writing body (0 != 901)
p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt: Permission denied p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: Permission denied p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem: Permission denied p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem: Permission denied p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/java/cacerts: Permission denied /tmp/scripts/assemble: line 14: /tmp/scripts/s2i-setup: No such file or directory error: build error: non-zero (13) exit code from registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift sha256:6c009f430da02bdcff618a7dcd085d7d22547263eeebfb8d6377a4cf6f58769d

Option #2: following the steps detailed in https://docs.openshift.com/container-platform/3.9/dev_guide/builds/build_inputs.html#using-secrets-during-build but it fails with the error:

$ oc logs po/dsqc-5-build
error: Uploading to container failed: Error response from daemon: {"message":"Error processing tar file(exit status 1): mkdir /certs/..2018_07_16_23_14_03.650131122: no such file or directory"} ERROR: The destination directory for "/var/run/secrets/openshift.io/build/root-certificate" injection must exist in container ("/etc/ssl/certs")

Any help is extremely appreciated.

--
Regards,
Ahmed Ossama


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]