You would add your CA to the master’s trust bundle (ca.crt or ca-bundle.crt on each master, usually via Ansible), which is then distributed to all containers as /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and available for many default actions like fetching source. However, if you are trying to add trusted CAs for other actions not controlled by OpenShift (your applications) you’d need to add your CA to the trust bundle in your images following the image’s OS instructions. You *can* mount CAs as secrets into pods, but that usually involves more work and putting it into your images simplifies a lot of things.
https://access.redhat.com/solutions/3110231covers some of this. On Apr 14, 2018, at 2:19 PM, Genadi Postrilko <genadip...@gmail.com> wrote: Hello all, I am running OCP 3.7 in air gaped, on premise enviroment with our own certificate authority. I'm attempting to deploy application which uses external services. In virtual machine the application works, because all the needed certificate authorities are in the OS trusted store. But when i tried to deploy the same application in OCP, I'm struggling to add a certificate as trusted ca. One of the common use cases in our environment is in the build process of nodejs s2i, in which our access npm registry failed because of the lack of CA trust. Other pre-built images with our applications also need a way to mount secret as trusted CA. Thank you, Ron Cohen _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
