Bug 1475868 - [RFE] Provide an easier way to add a CA to the default trust in OpenShift images. [NEEDINFO]
[RFE] Provide an easier way to add a CA to the default trust in OpenShift ima...
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Derek Carr
Xiaoli Tian
Depends On:
  Show dependency treegraph
Reported: 2017-07-27 09:47 EDT by Ryan Howe
Modified: 2017-11-27 11:13 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sjr: needinfo? (decarr)

Attachments (Terms of Use)

  None (edit)
Description Ryan Howe 2017-07-27 09:47:33 EDT
Description of problem:
At this time if one needs to add a CA to the default trust store of an image, they would need to build the image running. 

For example if a user needs to add a Trusted CA to the docker registry for proxy pulls they would need to rebuild the image to add the ca to the image. 

$ cp ca.cert your_internalCA.crt
$ cat > /tmp/dockerfile << EOF 
FROM openshift3/ose-docker-registry
USER root
ADD your_internalCA.crt /etc/pki/ca-trust/source/anchors
RUN /bin/update-ca-trust
USER 1001
$ cd /tmp
$ sudo docker build ./ -t ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest
$ sudo docker push ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest

Then change the DC of the registry, changing the image to point to the image that was created: 
# oc edit dc docker-registry

Looking for a way to provide a secret to an image that would automatically add the CA data to the catrust for OpenShift image.
Comment 1 Eduardo Minguez 2017-11-08 08:32:09 EST
Related? https://github.com/openshift/origin/issues/1753
Comment 2 Ryan Howe 2017-11-14 16:54:25 EST
This is also wanted for S2i builds when a proxy requires all traffic leaving to trust its CA.

Note You need to log in before you can comment on or make changes to this bug.