mpiscaer
commented
6 months ago I see that alias imports the ca when it is cluster_issuer_type self-signed or ca.
Closed mpiscaer closed 5 months ago
mpiscaer
commented
6 months ago I see that alias imports the ca when it is cluster_issuer_type self-signed or ca.
mnaser
commented
6 months ago @fitbeard curious if you have any thoughts about this?
fitbeard
commented
5 months ago @mpiscaer @fitbeard https://github.com/vexxhost/atmosphere/pull/1197 that should be the missing piece.
@mpiscaer can you test this change please? If this fix the issue with private CA then next step would be fix for https://github.com/vexxhost/atmosphere/issues/1186 using bits from your https://github.com/vexxhost/atmosphere/pull/1188 + mount changes from my PR.
mpiscaer
commented
5 months ago @fitbeard The problem with #1197 is that openstack-cli image uses certifi and certifi does not accept private signed ca's. Certifi uses its own keystore.
I try'd to manual uninstall the pip certifi package, but then openstack application complains about missing certifi module.
fitbeard
commented
5 months ago @fitbeard The problem with #1197 is that openstack-cli image uses certifi and certifi does not accept private signed ca's. Certifi uses its own keystore.
I try'd to manual uninstall the pip certifi package, but then openstack application complains about missing certifi module.
Ah! You are right. But I think you need to look here first: https://github.com/vexxhost/atmosphere/blob/main/roles/openstack_cli/templates/openrc.j2#L14 - adjusting this should make certifi happy. This openrc config describes configuration from "inside container perspective" and for /etc/openstack/clouds.yml take a look here: https://github.com/vexxhost/atmosphere/blob/main/roles/openstacksdk/templates/clouds.yaml.j2#L11 - same here. But you also can consider to add something like insecure: true What I'm trying to say is that I don't believe that this is an edge case at all.
mpiscaer
commented
5 months ago @fitbeard I think using OS_CACERT is a good idea.
mnaser
commented
5 months ago Hi there!
I just ran into this with the Venafi work that is happening and I have mostly addressed it in this manner here:
https://github.com/vexxhost/atmosphere/pull/1254
What do you think about perhaps extending the same "framework" to ACME by including a field to include the CA and that way we can be using 100% validated things? :)
Thanks Mohammed
mpiscaer
commented
5 months ago @mnaser I think that is even better. I was not very happy with that it got skip, but it was the best what I could do.
mnaser
commented
5 months ago @mpiscaer cool, once the Venafi stuff lands, I'll try and see if we can apply the same concept for ACME.
mpiscaer
commented
5 months ago I close this issue, because Openstack CLI is working with a Private CA
In our dev setup we use Atmosphere with multi nodes. For this we use a ACME cert that uses a private CA.
In the old manner the public key got imported in the keystore via /usr/local/share/ca-certificates/
But with the new Openstack CLI inside a container this CA is not imported into the used keystore.
What is the best way to get this done?
Currently we get the error: