Re: [I] [Question][Module Name] Deploy devlake with managed GCP Cloud database service (with SSL enabled) [incubator-devlake]

Thu, 22 Aug 2024 18:04:53 -0700 


dosubot[bot] commented on issue #7928:
URL: 
https://github.com/apache/incubator-devlake/issues/7928#issuecomment-2305990879

   <!-- Answer -->
   To address the issue with the missing SAN names in the SSL certificates 
generated by GCP Cloud SQL, you can add your root CA to the `devlake` container 
and update the CA certificates within the container. Here is an example of how 
to do this using `docker-compose`:
   
   ```yaml
   devlake:
     image: apache/devlake:v...
     ...
     volumes:
       ...
       - /path/to/your/rootCA.crt:/usr/local/share/ca-certificates/rootCA.crt
     command: [ "sh", "-c", "update-ca-certificates; lake" ]
     ...
   ```
   
   Since you are using Helm, you can adapt this approach by adding the root CA 
to your Helm chart configuration. Here is an example of how to do this:
   
   1. **Create a Kubernetes secret with your root CA:**
   
       ```shell
       kubectl create secret generic root-ca-cert 
--from-file=rootCA.crt=/path/to/your/rootCA.crt
       ```
   
   2. **Update your Helm chart to mount the root CA and update the CA 
certificates:**
   
       ```yaml
       volumeMounts:
         - name: newcerts
           mountPath: /etc/ssl/certs
         - name: root-ca-cert
           mountPath: /usr/local/share/ca-certificates/rootCA.crt
       volumes:
         - name: newcerts
           secret:
             secretName: newcerts
         - name: root-ca-cert
           secret:
             secretName: root-ca-cert
       initContainers:
         - name: update-ca-certificates
           image: busybox
           command: ["sh", "-c", "update-ca-certificates"]
           volumeMounts:
             - name: root-ca-cert
               mountPath: /usr/local/share/ca-certificates/rootCA.crt
       ```
   
   3. **Ensure the `IN_SECURE_SKIP_VERIFY=true` environment variable is set:**
   
       ```yaml
       env:
         - name: IN_SECURE_SKIP_VERIFY
           value: "true"
       ```
   
   This setup should help in cases where the generated SSL certificates have 
CN=Google Cloud SQL Server CA but are missing SAN names, and mounting the 
required certs and setting `IN_SECURE_SKIP_VERIFY=true` does not resolve the 
issue 
<sup>[[1]](https://github.com/apache/incubator-devlake-website/blob/main/docs/Troubleshooting/Configuration.md)</sup><sup>[[2]](https://github.com/apache/incubator-devlake-website/blob/main/versioned_docs/version-v0.19/Troubleshooting/Configuration.md)</sup><sup>[[3]](https://github.com/apache/incubator-devlake-website/blob/main/versioned_docs/version-v0.15/Troubleshooting/Configuration.md)</sup>.
   
   
   <!-- Dosu Comment Footer -->
   *To continue talking to [Dosu](https://dosu.dev), mention @dosu.*
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to