func icon indicating copy to clipboard operation
func copied to clipboard
verified publisher icon knative

Adding ca certificates to support transparent proxy

Open d-m opened this issue 1 year ago • 11 comments

Hello, is it possible to add a CA certificate to be used during func build steps? I’m working with a transparent proxy and builds using buildpacks fail when downloading versions of Python, go, etc. in the container. This seems to be possible with with the build pack “pack” command using bindings but I wasn’t sure if this was exposed in func. Thanks!

d-m avatar Feb 28 '24 22:02 d-m

This is not supported in func, see: https://github.com/knative/func/issues/2177

braunsonm avatar Feb 29 '24 04:02 braunsonm

@d-m try putting your CAs in your project directory and stetting the SSL_CERT_DIR envvar.

build:
  buildEnvs:
    - name: SSL_CERT_DIR
      value: /workspace

matejvasek avatar Mar 04 '24 20:03 matejvasek

It should work: https://cloud-native.slack.com/archives/C04LKEZUXEE/p1707837008531269 .

matejvasek avatar Mar 04 '24 20:03 matejvasek

@d-m try putting your CAs in your project directory and stetting the SSL_CERT_DIR envvar.

build:
  buildEnvs:
    - name: SSL_CERT_DIR
      value: /workspace

What should be value for SSL_CERT_DIR in windows and linux? Is this common for all environments?

Vishal1297 avatar Mar 07 '24 08:03 Vishal1297

@Vishal1297 it should be just /workspace -- that's the path of source code in a build container.

matejvasek avatar Mar 07 '24 17:03 matejvasek

@matejvasek Thanks, It worked but now I am facing another issue. Error is there while downloading go modules from private repo.

Server certification verification failed

Maybe my certs having correct?

Vishal1297 avatar Mar 07 '24 18:03 Vishal1297

@matejvasek Thanks, It worked but now I am facing another issue. Error is there while downloading go modules from private repo.

Server certification verification failed

Maybe my certs having correct?

It's resolved with help of go mod vendor

Vishal1297 avatar Mar 09 '24 13:03 Vishal1297

@matejvasek Thanks, It worked but now I am facing another issue. Error is there while downloading go modules from private repo.

Server certification verification failed

Maybe my certs having correct?

Hard to tell without more output. Maybe go does not respect SSL_CERT_DIR, I do not know.

matejvasek avatar Mar 11 '24 04:03 matejvasek

@matejvasek Thanks, It worked but now I am facing another issue. Error is there while downloading go modules from private repo. Server certification verification failed Maybe my certs having correct?

Hard to tell without more output. Maybe go does not respect SSL_CERT_DIR, I do not know.

SSL_CERT_DIR env works with https://github.com/paketo-buildpacks/go What I got to know is that we have two options to solve the certificate problem.

Vishal1297 avatar Mar 11 '24 04:03 Vishal1297

What are "Git bindings"?

matejvasek avatar Mar 12 '24 02:03 matejvasek

What are "Git bindings"?

https://github.com/paketo-buildpacks/go-mod-vendor/issues/140

I mean bindings for git paketo.io/docs/howto/configuration/#bindings. Not sure how to use it.

Vishal1297 avatar Mar 12 '24 05:03 Vishal1297

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Jun 11 '24 01:06 github-actions[bot]

See @matejvasek solution above, which should work in most cases for the question from the OP:

@d-m try putting your CAs in your project directory and stetting the SSL_CERT_DIR envvar.

build:
  buildEnvs:
    - name: SSL_CERT_DIR
      value: /workspace

lkingland avatar Sep 17 '24 04:09 lkingland