Open llegolas opened 5 years ago
Adding at least the default k8s/openshift CA.crt to the trust is nice feature to have. Will the below work?:
rootCAs, _ := x509.SystemCertPool()
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}
certs, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
if err != nil {
log.Fatalf("Failed to append /var/run/secrets/kubernetes.io/serviceaccount/ca.crt to RootCAs: %v", err)
}
if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
log.Println("No certs appended, using system certs only")
}
config := &tls.Config{
RootCAs: rootCAs,
}
Hi! Might be good to add support for both the service account as well as a 'disregard certificate validity' option, through Golangs InsecureSkipVerify: true
. I'll look into this soon.
You can also add support for custom certificates provided with volume mounts(backed by secrets). For example if file /tmp/custom-ca.crt exists append the it too.
I don't use self signed cert, and errors occurred.
Workarround: https://www.getambassador.io/reference/filter-reference/#installing-self-signed-certificates
Staring it against https keycloak i get this error. 2019/01/17 11:26:54 OIDC provider setup failed: Get https://sso-keycloak-sso.cloudapps02.euan-hume-02-ocp.svcs.dxc.com/auth/realms/kubeflow/.well-known/openid-configuration: x509: certificate signed by unknown authority