Closed padlar closed 1 year ago
I'm running into the same issue using Keycloak . We've got cert-manager issuing certificates for both Keycloak and Weave, set up the custom certs to load using serverTLS
however i don't seem to get around the issue even with --insecure
.
Error: could not initialise authentication server: could not create auth server: could not create provider: Get "https://keycloak.sylva/realms/sylva/.well-known/openid-configuration": x509: certificate signed by unknown authority
As suggested by @bigkevmcd, custom CA can be used today with out any changes to the code by doing the following:
Create a secret with the custom CA and add env, extraVolumes and extraVolumeMounts to values.yaml as shown below -
apiVersion: v1
data:
ca.crt: |
RXdKT1R6RVJNQThHQTFVRUNoTUlVM1JoZEc1bGRIUXhHekFaQmdOVkJBTVRFbE4wWVhSdQ
paWFIwSUZKdmIzUWdRMEVnTWpBZUZ3MHhNVEEwTVRNd056UXpNREZhRncwek5qQXlNVFl4
TVRJd05URmFNRDB4CkN6QUpCZ05WQkFZVEFrNVBNUkV3RHdZRFZRUUtFd2hUZEdGMGJtVj
BkREViTUJrR0ExVUVBeE1TVTNSaGRHNWwKZEhRZ1VtOXZkQ0JEUVNBeU1JSUJJakFOQmdr
LS0tLQo=
kind: Secret
metadata:
name: custom-root-ca
type: Opaque
envVars:
- name: SSL_CERT_FILE
value: /etc/ssl/certs/ca.crt
extraVolumes:
- name: custom-ca-cert
secret:
secretName: custom-root-ca
extraVolumeMounts:
- name: custom-ca-cert
mountPath: /etc/ssl/certs
readOnly: true
Closing the issue.
Problem We have configured a dex openshift provider using custom CA in our setup and we get the following error when we run the weave gitops towards it -
Solution Solution would be to provide an option to trust custom CA in the gitops image. This can be achieved by reading in the CA bundle via ENV variable or using a trust-manager to support multiple root CAs (https://cert-manager.io/docs/projects/trust-manager/).