search

weaveworks / weave-gitops

Weave GitOps provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams.
https://docs.gitops.weave.works/
Apache License 2.0
918 stars 153 forks source link

Allow option to set custom root CA #3519

Closed padlar closed 1 year ago

padlar commented 1 year ago

Problem We have configured a dex openshift provider using custom CA in our setup and we get the following error when we run the weave gitops towards it -

Error: could not initialise authentication server: could not create auth server: could not create provider: Get "https://dex.apps.<domain>/.well-known/openid-configuration": x509: certificate signed by unknown authority

Solution Solution would be to provide an option to trust custom CA in the gitops image. This can be achieved by reading in the CA bundle via ENV variable or using a trust-manager to support multiple root CAs (https://cert-manager.io/docs/projects/trust-manager/).

mihai66 commented 1 year ago

I'm running into the same issue using Keycloak . We've got cert-manager issuing certificates for both Keycloak and Weave, set up the custom certs to load using serverTLS however i don't seem to get around the issue even with --insecure .

Error: could not initialise authentication server: could not create auth server: could not create provider: Get "https://keycloak.sylva/realms/sylva/.well-known/openid-configuration": x509: certificate signed by unknown authority
padlar commented 1 year ago

As suggested by @bigkevmcd, custom CA can be used today with out any changes to the code by doing the following:

Create a secret with the custom CA and add env, extraVolumes and extraVolumeMounts to values.yaml as shown below -

apiVersion: v1
data:
  ca.crt: |
    RXdKT1R6RVJNQThHQTFVRUNoTUlVM1JoZEc1bGRIUXhHekFaQmdOVkJBTVRFbE4wWVhSdQ
    paWFIwSUZKdmIzUWdRMEVnTWpBZUZ3MHhNVEEwTVRNd056UXpNREZhRncwek5qQXlNVFl4
    TVRJd05URmFNRDB4CkN6QUpCZ05WQkFZVEFrNVBNUkV3RHdZRFZRUUtFd2hUZEdGMGJtVj
    BkREViTUJrR0ExVUVBeE1TVTNSaGRHNWwKZEhRZ1VtOXZkQ0JEUVNBeU1JSUJJakFOQmdr
    LS0tLQo=
kind: Secret
metadata:
  name: custom-root-ca
type: Opaque
    envVars:
      - name: SSL_CERT_FILE
        value: /etc/ssl/certs/ca.crt
    extraVolumes:
      - name: custom-ca-cert
        secret:
          secretName: custom-root-ca
    extraVolumeMounts:
      - name: custom-ca-cert
        mountPath: /etc/ssl/certs
        readOnly: true

Closing the issue.