onyxia icon indicating copy to clipboard operation
onyxia copied to clipboard
verified publisher icon InseeFrLab

CAcert injection doesn't work easily when using custom schema

Open Archimonde666 opened this issue 1 month ago • 2 comments

When mounting CA into certificates.json as invited by https://github.com/InseeFrLab/helm-charts-interactive-services/blob/7705b7c43519d25ab3becd61f28d1da29a91ed5d/charts/jupyter-python/values.schema.json#L1061

(i'm using this certificates.json) :

certificates.json: |
    { "$schema": "http://json-schema.org/draft-07/schema#",
      "title": "ca-certs",
      "type": "object",
      "properties": {
        "cacerts": {
          "type": "string",
          "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.",
          "default": "-----BEGIN CERTIFICATE-----
        MIIHZjCCBU6gAwIBAgIIYbJNv56Gpz4wDQYJKoZIhvcNAQELBQAwdTEtMCsGA1UE
        AwwkQUMgUmFjaW5lIEdlbmRhcm1lcmllIG5hdGlvbmFsZSAyMDE4MRcwFQYDVQQL
        -----END CERTIFICATE-----",
          "x-onyxia": {
            "hidden": true
          }
        },
        "pathToCaBundle": {
          "type": "string",
          "description": "String path where a bundle is made or injected by third party solution",
          "default": "/usr/local/share/ca-certificates/",
          "x-onyxia": {
            "hidden": true
          }
        }
      }
    }

I can observe 2 behavior, either i put the raw certificate, it causes the api container to fail at init due to formatting of the crt (i guess newlines and minus sign within the -----BEGIN CERTIFICATE-----. I noted 2 core errors when trying it :

Caused by: java.lang.RuntimeException: Failed to load schema: certificates.json
Caused by: com.fasterxml.jackson.core.JsonParseException: Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 9, column: 19]

and

Caused by: java.lang.RuntimeException: Failed to load schema: certificates.json
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('-' (code 45)) in numeric value: expected digit (0-9) to follow minus sign, for valid numeric value
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 10, column: 8]

I managed to make the api container start normalizing the string content (removing newline character). In this case, the string is correctly injected within the sub-service for instance jupyter in the /usr/local/share/ca-certificates folder and added to the truststore as expected. But due to the underlying bad formatting needed to be inserted in the json the AC ends up in a mess in the final /etc/ssl/ca-certificate file and still does'nt allow to make SSL request.

I tested same AC cert inserted manually outside the json and made it work.

Archimonde666 avatar Nov 07 '25 20:11 Archimonde666