build icon indicating copy to clipboard operation
build copied to clipboard

Published 20 hours ago verified publisher icon knative

Support for corporate environments - CA certs, HTTP proxies

Open DanielJonesEB opened this issue 6 years ago • 3 comments

We're attempting to use Riff (which in turn uses Knative Build) inside a corporate network.

We need to be able to provide:

  • a CA certificate to steps in the build process, such that processes in those build steps can make HTTPS communications to internal infrastructure (GitLab, BitBucket, etcetera) serving TLS certificates signed by that CA.
  • environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY, http_proxy, https_proxy, no_proxy) so should be exported in build containers such that processes can communicate via HTTP proxies where appropriate (typically external services like GitHub), and not via HTTP proxies for specified IPs/hostnames (for internal services).

We're using Riff which presumably uses Knative Build to create a pod spec and schedule it. The initContainers in this pod need to have access to the env vars and the CA cert.

The CA cert may require additional steps. We've been creating a manual test case in a pod of our own creation, whereby we add the base64-encoded CA cert as a Secret in Kubernetes, then mount that into our container. We're probably doing it wrong but in an Ubuntu-based image, mounting the cert directly into /etc/ssl/certs/ doesn't work and instead we need to mount it into /usr/local/share/ca-certificates/ and then run the update-ca-certificates command. I'm not sure if this process is universal across Linux distributions; if not then I can understand why supporting this might be impractical.

I'm not super-familiar with Knative Build so I'm not sure what the UX should look like.

cc @andrewdriver123

DanielJonesEB avatar Oct 16 '18 12:10 DanielJonesEB

@DanielJonesEB :

  • Setting environment variables on build step here is an example . You could also consider using configMap with all HTTP/HTTPS variables and then pass the configMap references to build steps. Here is the config map example
  • Example to mount CA certificates volume in build.
  • And for your last question you could consider adding a step in build to mount the certificate volume and run the command update-ca-certificates before using the same volume in next step(in theory this should work).

shashwathi avatar Oct 16 '18 17:10 shashwathi

I think the bigger issue might be how to set those configurations for the step we prepend that fetches the specified source. If HTTP_PROXY is needed to fetch from the Git repo, for instance, there's currently no way to inject that.

For now you can probably get around this by not specifying source, and instead fetching source yourself with all the env vars / config you need in a build step, or specifying a custom source which effectively does the same thing.

We should improve this though.

imjasonh avatar Oct 16 '18 18:10 imjasonh

Thanks @shashwathi and @ImJasonH!

If HTTP_PROXY is needed to fetch from the Git repo, for instance, there's currently no way to inject that.

Yep, that's a use case for us where SSH authentication isn't possible. To reach out to GitHub we'd need to go via an HTTP proxy, and if the repo is hosted internally then it will present a self-signed TLS certificate so we'd need to provide the CA certificate.

Apologies if I'm not being very clear, I'm quite new to Knative and the work I'm doing is to use Riff, so there's a layer of indirection too.

DanielJonesEB avatar Oct 17 '18 08:10 DanielJonesEB