containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon adoptium

[Bug]: CA handling is not working

Open dulmandakh opened this issue 2 years ago • 7 comments

Please add the exact image (with tag) that you are using

eclipse-temurin:11-jdk

Please add the version of Docker you are running

Kubernetes

What happened?

Created a ConfigMap that includes CA file (MyOrg-RootCA.crt in my example), then mounted it to /certificates directory as described on Docker Hub. Then I start the pod using Kustomization below.

I found __cacert_entrypoint.sh when I entered the container with shell, then I see below output when I run it.

Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.

After some investigation I found following contents in /usr/local/share/ca-certificates/.

drwxr-xr-x 1 root root 4096 Feb 8 03:49 . drwxr-xr-x 1 root root 4096 Feb 2 07:42 .. lrwxrwxrwx 1 root root 23 Feb 8 03:19 MyOrg-RootCA.crt -> ..data/MyOrg-RootCA.crt

It's broken symlink. Maybe need to use cp -s instead of cp -a.

Here is the contents of /certificates

drwxr-xr-x 2 root root 4096 Feb 8 03:19 ..2024_02_08_03_19_14.996191449 lrwxrwxrwx 1 root root 31 Feb 8 03:19 ..data -> ..2024_02_08_03_19_14.996191449 lrwxrwxrwx 1 root root 23 Feb 8 03:19 MyOrg-RootCA.crt -> ..data/MyOrg-RootCA.crt

kustomization.yaml

configMapGenerator:
  - name: cacerts
    files:
      - MyOrg-RootCA.crt

resources:
  - pod.yaml

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: openjdk
spec:
  containers:
  - name: openjdk
    image: eclipse-temurin:11-jdk
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
    volumeMounts:
      - name: cacerts
        mountPath: /certificates
    env:
      - name: USE_SYSTEM_CA_CERTS
        value: "1"
  volumes:
    - name: cacerts
      configMap:
        name: cacerts

Relevant log output

No response

dulmandakh avatar Feb 08 '24 03:02 dulmandakh

@rassie hello, could you please see this issue. Thank you

dulmandakh avatar Feb 08 '24 03:02 dulmandakh

Is the problem that ..data/MyOrg-RootCA.crt should be ../data/MyOrg-RootCA.crt?

karianna avatar Feb 08 '24 05:02 karianna

it's copying symlink as is, but pointing file doesn't exists. it works find with cp -s

dulmandakh avatar Feb 08 '24 06:02 dulmandakh

Oh, that's not nice, I should have seen that coming. In principle, cp -a should be fine, we just don't consider dotted files when copying, but I think ..data is a mount-point, which would not be copied correctly. The solution might be as simple as making a cp -aL out of cp -a.

I'm a bit time-constrained at the moment, someone care to make a PR with cp changed and a bit of symlink magic in .test/tests/java-ca-certificates-update/?

rassie avatar Feb 08 '24 09:02 rassie

@dulmandakh - Thanks, we'll get round to this, but PR's are welcome as well :-)

karianna avatar Feb 08 '24 20:02 karianna

@dulmandakh - Thanks, we'll get round to this, but PR's are welcome as well :-)

Hello, in Mongolia we're celebrating lunar new year, so I won't be able to work for next 3 4 days. Please feel free to create a fix.

dulmandakh avatar Feb 09 '24 04:02 dulmandakh

My workaround for now:

    volumeMounts:
      - name: cacerts
        mountPath: /certificates/MyOrg-RootCA.crt
        subPath: MyOrg-RootCA.crt

samized avatar Mar 13 '24 16:03 samized