Closed shubb30 closed 4 years ago
Thanks @shubb30 . We'll add this functionality to support mounting a pre-created secret to /usr/local/share/ca-certificates
.
Can you confirm mounting to this path solved your connection issue?
Thanks @eldada . Mounting that path, and also running update-ca-certificates
as root fixed the problem. Running the command would need to be added to the image so that it runs every time the container starts.
👍
This feature would be greatly appreciated. I think the user is set to jfrog
in the image so running commands as root at bootstrap is currently not possible. Bootstrapping as root and dropping to jfrog
using gosu
in the entrypoint script would be good choice here.
As noted - we are running as non-root, so running update-ca-certificates
might be an issue. We'll look into the possible options here.
Update: We are checking the possibility to add support for this in the Xray application itself as the non-root issue is critical.
We too are running into this same issue. Our Artifactory instance is running with a certificate with an untrusted intermediate certificate which needs to be added to the trust chain. The only other alternative is to use an insecure link to Artifactory which is breaks SSO. Adding this feature to the XRay chart would be greatly appreciated.
Duplicate of #759
@chukka fix the code the code broken in the PR and CA Certs will once again work :)
Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature request
Version of Helm and Kubernetes: Rancher 2.3.2, Kubernetes 1.15.5
Which chart: Xray
What happened: I deployed Xray in our Kubernetes cluster, and when I tried to point it to my Artifactory instance, it said it could not connect, which I presumed was because of our certificate signed by our corporate CA.
I created a Kubernetes configMap, and added the root and subordinate CA, and then mounted that into the xray-server at /usr/local/share/ca-certificates. I then logged into the server, and did a
docker exec -it -u root
into the xray server (since the container runs as a non-root user) and then ran the commandupdate-ca-certificates
, which installs the certificates into the Ubuntu cert store. This allowed the server to then talk to Artifactory.The problem is that I would need to run the steps every time the container restarts.
What you expected to happen: Have a Helm chart option for
CA Certificate configMap Name
, which mounts the named CM at the above directory. Then when the xray-server starts, it needs to run theupdate-ca-certificates
command before the server starts so that the certificates get imported.