You would add your CA to the master’s trust bundle (ca.crt or ca-bundle.crt
on each master, usually via Ansible), which is then distributed to all
containers as /var/run/secrets/ and
available for many default actions like fetching source.  However, if you
are trying to add trusted CAs for other actions not controlled by OpenShift
(your applications) you’d need to add your CA to the trust bundle in your
images following the image’s OS instructions.  You *can* mount CAs as
secrets into pods, but that usually involves more work and putting it into
your images simplifies a lot of things. some of this.

On Apr 14, 2018, at 2:19 PM, Genadi Postrilko <> wrote:

Hello all,

I am running OCP 3.7 in air gaped, on premise enviroment with our own
certificate authority.
I'm attempting to deploy application which uses external services.
In virtual machine the application works, because all the needed
certificate authorities are in the OS trusted store.
But when i tried to deploy the same application in OCP, I'm struggling to
add a certificate as trusted ca.
One of the common use cases in our environment is in the build process of
nodejs s2i, in which our access npm registry failed because of the lack of
CA trust.
Other pre-built images with our applications also need a way to mount
secret as trusted CA.

Thank you,

Ron Cohen

users mailing list
users mailing list

Reply via email to