By default the Artifactory pod is running as the user ‘artifactory’ and you do not have root access if you enter into the pod. In order to add the certificates to a container’s CA trust configuration files, root access is needed. We can make use of Custom init containers to run the necessary commands as root.
Here, we are using a Redhat container for the Artifactory and hence values.yaml is configured accordingly.
Step 1: Create a configmap using the certificate file that needs to be imported to the CA Certificates
kubectl create configmap my-certs --from-file=mycustom.crt -n <mynamespace>
Step 2: Use the below configuration snippet in the Artifactory values.yaml to import the certificates.
artifactory: customInitContainers: | - name: "sslsetup" image: "{{ .Values.initContainerImage }}" imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" securityContext: privileged: true runAsUser: 0 runAsGroup: 0 runAsNonRoot: false command: - 'sh' - '-c' - > mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem}; /usr/bin/update-ca-trust extract; volumeMounts: - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" name: artifactory-volume - name: my-certs mountPath: "/etc/pki/ca-trust/source/anchors/mycustom.crt" subPath: mycustom.crt - name: ssl-path mountPath: "/etc/pki/ca-trust/extracted" readOnly: false customVolumes: | - name: ssl-path emptyDir: {} - name: my-certs configMap: name: my-certs customVolumeMounts: | - name: my-certs mountPath: /etc/pki/ca-trust/source/anchors/mycustom.crt subPath: mycustom.crt - name: ssl-path mountPath: /etc/pki/ca-trust/extracted
Note: Please make sure that you do not have the same volume name or volume mount name not already used in your .yaml files.
The above configuration performs the below actions:
- Create a custom volume mount with the path /etc/pki/ca-trust/extracted as an empty folder for the Artifactory pod
- Create another custom volume mount with the path /etc/pki/ca-trust/source/anchors/mycustom.crt and get the contents from the config map
- Then use these mounts in the Custom Init container
- Then perform commands to import the CA certificates
Step 3: Now login into the Artifactory container and verify the URL using curl to confirm that SSL error is fixed.
kubectl exec -it artifactory-0 -c artifactory -n <mynamespace> -- bash
curl -v https://<mycustomurl>
References