search

openshift / ocm-container

Containerized environment for accessing OpenShift v4 clusters, packing necessary tools/scripts
Apache License 2.0
10 stars 63 forks source link

Mount local certificate authority anchors #205

Closed T0MASD closed 1 year ago

T0MASD commented 1 year ago

Mounts certificate authority trust source to avoid self-signed certificate errors

before

$ curl https://someplace.redhat.com
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

after

curl https://someplace.redhat.com
<html><body>You are being <a href="https://someplace.redhat.com/users/auth/geo/sign_in">redirected</a>.</body></html>```
clcollins commented 1 year ago

Can we just add the CAs to the image? They're not secret, and it would avoid yet another mount of our local filesystem into the container. This would allow any users to use OCM container without having to have the CAs, too, which I think is an excellent advantage of the project. I like being able to just pull the image and go, without needing to customize my laptop at all to get things to work :)

clcollins commented 1 year ago

Coming back to this, I just added this to another image I use - would you be open to making this change in the Dockerfile instead of adding the mount, @T0MASD:

RUN curl -sSL -o /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem
RUN curl -sSL -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem
RUN update-ca-trust
T0MASD commented 1 year ago

@clcollins unfortunatley those certs aren't public :( 

$ curl https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem
curl: (6) Could not resolve host: certs.corp.redhat.com
clcollins commented 1 year ago

Ah, bummer. Maybe we can grab those in some other way in the future.

/lgtm /approve

openshift-ci[bot] commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clcollins, T0MASD

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/ocm-container/blob/master/OWNERS)~~ [clcollins] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment