Configure Bundle CA Cert if provided #144
Conversation
|
I just tested this out and all deployments template correctly and the application deploys. I tested with bundle_cacert_secret specified on the spec, and without. |
Signed-off-by: Christian M. Adams <chadams@redhat.com>
rooftopcellist
force-pushed
the
bundle-cacert
branch
from
46fab37 to
59498a3
Compare
|
I'm looking forward to this one being merged and delivered with the next version of AAP :) 🤞 |
docs/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.md
Show resolved
Hide resolved
| | image_version | Image version to pull | main | | ||
| | image_web | Path of the image to pull | quay.io/ansible/eda-ui | | ||
| | image_web_version | Image version to pull | latest | | ||
| | image_pull_policy | The pull policy to adopt | IfNotPresent | |
There was a problem hiding this comment.
Not related with the PR, but should this be better "latest" specially when we are using images that point to latest? (it means are potentially upgradable)
There was a problem hiding this comment.
I see, so for quay.io/ansible/eda-server, latest is latest tagged release. And main is the latest commit in the main branch.
So like you said, we should use latest in the operator defaults for that reason (more stable). I just updated the PR to reflect that in the defaults.
rooftopcellist
force-pushed
the
bundle-cacert
branch
from
59498a3 to
a4cc6f6
Compare
Summary
When deploying EDA into an environment where a private Git server is in use with private CA-signed certificates in front of it, EDA worker pods fail to
git clone...when Git projects are defined.The awx-operator allows for private CA-signed certs via the bundle_cacert_secret property in the AutomationController CRD. This PR adopts the same pattern for the EDA-server-operator.
Docs for Trusting a Custom Certificate Authority
In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the
awx-operator.Trusting a custom Certificate Authority allows the EDA to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error unable to verify the first certificate.
Please note the
eda-server-operatorwill look for the data fieldldap-ca.crtin the specified secret when using theldap_cacert_secret, whereas the data fieldbundle-ca.crtis required forbundle_cacert_secretparameter.Example of customization could be:
Create the secret with CLI: