Re: Adding trusted CA into application pod

2018-04-14 Thread Clayton Coleman 
You would add your CA to the master’s trust bundle (ca.crt or ca-bundle.crt
on each master, usually via Ansible), which is then distributed to all
containers as /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and
available for many default actions like fetching source.  However, if you
are trying to add trusted CAs for other actions not controlled by OpenShift
(your applications) you’d need to add your CA to the trust bundle in your
images following the image’s OS instructions.  You *can* mount CAs as
secrets into pods, but that usually involves more work and putting it into
your images simplifies a lot of things.

https://access.redhat.com/solutions/3110231covers some of this.

On Apr 14, 2018, at 2:19 PM, Genadi Postrilko  wrote:

Hello all,

I am running OCP 3.7 in air gaped, on premise enviroment with our own
certificate authority.
I'm attempting to deploy application which uses external services.
In virtual machine the application works, because all the needed
certificate authorities are in the OS trusted store.
But when i tried to deploy the same application in OCP, I'm struggling to
add a certificate as trusted ca.
One of the common use cases in our environment is in the build process of
nodejs s2i, in which our access npm registry failed because of the lack of
CA trust.
Other pre-built images with our applications also need a way to mount
secret as trusted CA.

Thank you,

Ron Cohen

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Adding trusted CA into application pod

2018-04-14 Thread Genadi Postrilko 
Hello all,

I am running OCP 3.7 in air gaped, on premise enviroment with our own
certificate authority.
I'm attempting to deploy application which uses external services.
In virtual machine the application works, because all the needed
certificate authorities are in the OS trusted store.
But when i tried to deploy the same application in OCP, I'm struggling to
add a certificate as trusted ca.
One of the common use cases in our environment is in the build process of
nodejs s2i, in which our access npm registry failed because of the lack of
CA trust.
Other pre-built images with our applications also need a way to mount
secret as trusted CA.

Thank you,

Ron Cohen
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users