Closed shubb30 closed 4 years ago
eldada
commented
4 years ago Thanks @shubb30 . We'll add this functionality to support mounting a pre-created secret to /usr/local/share/ca-certificates.
Can you confirm mounting to this path solved your connection issue?
shubb30
commented
4 years ago Thanks @eldada . Mounting that path, and also running update-ca-certificates as root fixed the problem. Running the command would need to be added to the image so that it runs every time the container starts.
radekw
commented
4 years ago 👍
This feature would be greatly appreciated. I think the user is set to jfrog in the image so running commands as root at bootstrap is currently not possible. Bootstrapping as root and dropping to jfrog using gosu in the entrypoint script would be good choice here.
eldada
commented
4 years ago As noted - we are running as non-root, so running update-ca-certificates might be an issue. We'll look into the possible options here.
eldada
commented
4 years ago Update: We are checking the possibility to add support for this in the Xray application itself as the non-root issue is critical.
jshrack-ssi
commented
4 years ago We too are running into this same issue. Our Artifactory instance is running with a certificate with an untrusted intermediate certificate which needs to be added to the trust chain. The only other alternative is to use an insecure link to Artifactory which is breaks SSO. Adding this feature to the XRay chart would be greatly appreciated.
evannorstrand
commented
4 years ago Duplicate of #759
@chukka fix the code the code broken in the PR and CA Certs will once again work :)
chukka
Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature request
Version of Helm and Kubernetes: Rancher 2.3.2, Kubernetes 1.15.5
Which chart: Xray
What happened: I deployed Xray in our Kubernetes cluster, and when I tried to point it to my Artifactory instance, it said it could not connect, which I presumed was because of our certificate signed by our corporate CA.
I created a Kubernetes configMap, and added the root and subordinate CA, and then mounted that into the xray-server at /usr/local/share/ca-certificates. I then logged into the server, and did a
docker exec -it -u rootinto the xray server (since the container runs as a non-root user) and then ran the commandupdate-ca-certificates, which installs the certificates into the Ubuntu cert store. This allowed the server to then talk to Artifactory.The problem is that I would need to run the steps every time the container restarts.
What you expected to happen: Have a Helm chart option for
CA Certificate configMap Name, which mounts the named CM at the above directory. Then when the xray-server starts, it needs to run theupdate-ca-certificatescommand before the server starts so that the certificates get imported.