Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation about docker registry with custom certificate #442

Open
tchiotludo opened this issue Aug 18, 2023 · 5 comments
Open

Add documentation about docker registry with custom certificate #442

tchiotludo opened this issue Aug 18, 2023 · 5 comments
Labels
documentation Improvements or additions to documentation

Comments

@tchiotludo
Copy link
Member

We need to configure docker dind to be able to pull from that registry, right now, we have this error:

Status 500: {"message":"Get \"https://harbor.jura.ch/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}.

user need to configure and mount the ca root :

-v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

see this
@gioccher
Copy link

gioccher commented Nov 9, 2023

It looks like there more places where the self-signed CA certificate needs to be applied: Java keystore of the kestra container and dind containers (so that pip can download packages)

Here's how I applied it to the Java keystore

Dockerfile

FROM kestra/kestra:latest-full
COPY nscacert.pem /tmp/nscacert.pem
RUN /opt/java/openjdk/bin/keytool -importcert -file "/tmp/nscacert.pem" -alias YourCustomCA -trustcacerts -cacerts -storepass changeit -noprompt

docker-compose.xml

...
  kestra:
    image: "yourrepo/kestra:latest-full"
    build:
      context: "."
...

It's unclear to me how to apply it to the dind containers. The link to slack is not valid

@tchiotludo
Copy link
Member Author

@gioccher what is your error when trying to join our slack?

@gioccher
Copy link

gioccher commented Nov 9, 2023

Messages and files older than 90 days are hidden
Upgrade to a paid plan to unlock your team’s full message and file history, plus all the premium features of the Pro plan.

the link points to an old message

@tchiotludo
Copy link
Member Author

you can join using that link

@gioccher
Copy link

gioccher commented Nov 13, 2023
edited
Loading

I should clarify that I don't have a problem joining Kestra's slack, I just can't see the slack thread referenced in the link you included in the first comment of this github issue.
Slack messages older than 90 days are not visible since the Kestra's slack workspace is on the free plan, and that link points to a message that's now too old.

With my comment I wanted to contribute another step that is required to add support to custom CA certificates (all too common in corporate networks) and report that if the slack thread contained further instructions they are now lost.

I ended up running kestra on a tools vm that doesn't use custom CA certificates, so this issue is not a blocker for me.

@anna-geller anna-geller added this to the v0.16.0 milestone Dec 5, 2023
@anna-geller anna-geller added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 5, 2023
@anna-geller anna-geller modified the milestones: v0.16.0, v0.19.0 Feb 12, 2024
@anna-geller anna-geller removed the enhancement New feature or request label Mar 13, 2024
@anna-geller anna-geller removed this from the v0.19.0 milestone Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
Issues
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gioccher @tchiotludo @anna-geller