Hi Everyone,
I have an OpenShift installation which is sitting behind an appliance
which intercepts outbound SSL traffic. Regular machines have the SSL
certificate of the appliance installed on them and they are able to
access the internet without any issues.
My issue is with during the build; Because OpenShift builds images in
containers, thus the container which is building the code doesn't have
the SSL certificate of the interceptor installed in it. So grabbing code
dependencies from npm, maven or pypi during a build fails because the
build tries to connect to the repo manager via HTTPs, but since the CA
of the interceptor is not installed in the build container it fails.
My question is: How can I inject the CA certificate of the interceptor
in the build container so that the traffic from the interceptor is trusted?
So far I've tried two options but they failed:
Option #1, have customized .s2i/bin/assemble script which downloads the
certificate in /etc/pki/ca-trust/source/anchors/ and running
update-ca-trust. But this option fails with:
$ oc logs dsqc-4-build
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0Warning: Failed to create the file
Warning:
/etc/pki/ca-trust/source/anchors/ZscalerRootCertificate-2048-SHA256.cr
Warning: t: Permission denied
52 1732 52 901 0 0 14515 0 --:--:-- --:--:--
--:--:-- 14770
curl: (23) Failed writing body (0 != 901)
p11-kit: couldn't create file:
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt: Permission denied
p11-kit: couldn't create file:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: Permission denied
p11-kit: couldn't create file:
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem: Permission denied
p11-kit: couldn't create file:
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem: Permission denied
p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/java/cacerts:
Permission denied
/tmp/scripts/assemble: line 14: /tmp/scripts/s2i-setup: No such file or
directory
error: build error: non-zero (13) exit code from
registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift@sha256:6c009f430da02bdcff618a7dcd085d7d22547263eeebfb8d6377a4cf6f58769d
Option #2: following the steps detailed in
https://docs.openshift.com/container-platform/3.9/dev_guide/builds/build_inputs.html#using-secrets-during-build
but it fails with the error:
$ oc logs po/dsqc-5-build
error: Uploading to container failed: Error response from daemon:
{"message":"Error processing tar file(exit status 1): mkdir
/certs/..2018_07_16_23_14_03.650131122: no such file or directory"}
ERROR: The destination directory for
"/var/run/secrets/openshift.io/build/root-certificate" injection must
exist in container ("/etc/ssl/certs")
Any help is extremely appreciated.
--
Regards,
Ahmed Ossama
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
