-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC with custom CA not usable #4173
Comments
We are going to provide a simple way to do this, but you can customise a HelmRelease with a post-render postRenderers:
- kustomize:
patchesStrategicMerge:
- apiVersion: apps/v1
kind: Deployment
metadata:
name: weave-gitops-enterprise-mccp-cluster-service
namespace: flux-system
spec:
template:
spec:
containers:
- name: clusters-service
volumeMounts:
- mountPath: /usr/local/share/ca-certificates
name: custom-ca
env:
- name: SSL_CERT_FILE
value: /usr/local/share/ca-certificates/ca-bundle.crt
volumes:
- configMap:
defaultMode: 420
name: custom-ca
name: custom-ca |
Implementing a simple way to do this is high up on our priority list. |
I have added an option to specify an existing Secret which holds one or more CA certificates which get added to the base certificates in an init container and then mounted in the main one. I used the debug image of gitops' base image to get access to a shell. Maybe this can help in finding a (generic) solution.
|
in our case we tried using the existing variables on the chart (extraVolumeMounts, extraVolumes, envVars), and it worked.
|
Describe the bug
I am trying to use OIDC with Weave Gitops, however due to my identity server having a custom/self-signed SSL certificate, Gitops cannot connect to the IdP and terminates.
I could not find any way to let Gitops use a custom CA, either by passing an additional argument or via the helm chart.
Environment
To Reproduce
Steps to reproduce the behavior:
Configure
issuerURL
in secretoidc-auth
to an HTTPS service which is configured with a custom/self-signed certificate and start/restart the Gitops pod.Expected behavior
There is a way to provide a custom CA file for Gitops to trust
Actual Behavior
Gitops pod terminates because it does not trust the certificate of the IdP.
The text was updated successfully, but these errors were encountered: