Configure a Kubernetes build farm to use self-signed certificates

CI build infrastructure pods can interact with servers using self-signed certificates. This option is useful for organizations that prefer to use internal certificates instead of certificates generated by a public Certificate Authority (CA).

info

• This topic assumes that you are familiar with how to implement SSL in Kubernetes. General information about implementing SSL is outside the scope of this topic.
• With a Kubernetes cluster build infrastructure, all Build and Push steps use kaniko. Kaniko uses the path /kaniko/ssl/certs/additional-ca-cert-bundle.crt to read certificates.
• Harness uses a UBI image for the Git Clone step. UBI reads certificates from /etc/ssl/certs/ca-bundle.crt.
• Different base images use different paths as their default certificate location. For example, Alpine images use this path to recognize certificates: /etc/ssl/certs/ca-certificates.crt For any other image, make sure you verify the default certificate path.

Enable self-signed certificates

1. Create a Kubernetes secret or config map with the required certificates in the same namespace used by the Harness delegate. For example:

   apiVersion: v1  
   kind: Secret  
   metadata:  
     name: addcerts  
     namespace: harness-delegate-ng  
   type: Opaque  
   stringData:                             
     ca.bundle: |  
       -----BEGIN CERTIFICATE-----  
       XXXXXXXXXXXXXXXXXXXXXXXXXXX  
       -----END CERTIFICATE-------  
       -----BEGIN CERTIFICATE-----  
       XXXXXXXXXXXXXXXXXXXXXXXXXXX  
       -----END CERTIFICATE-------

2. Mount the secret as a volume on the delegate pod.

   For instructions, go to the Kubernetes documentation on Configuring a Pod to Use a Volume for Storage.

   In the delegate pod, you must specify DESTINATION_CA_PATH or both ADDITIONAL_CERTS_PATH and CI_MOUNT_VOLUMES. You can use either method or specify both methods. If you specify both, DESTINATION_CA_PATH takes precedence. If Harness can't resolve DESTINATION_CA_PATH, it falls back to CI_MOUNT_VOLUMES and ADDITIONAL_CERTS_PATH.

   DESTINATION_CA_PATH

   For DESTINATION_CA_PATH, provide a comma-separated list of paths in the build pod where you want the certs to be mounted, and mount your certificate files to opt/harness-delegate/ca-bundle.

           env:
           - name: DESTINATION_CA_PATH
                     value: "/etc/ssl/certs/ca-bundle.crt,/kaniko/ssl/certs/additional-ca-cert-bundle.crt"
                   volumeMounts:
                   - name: certvol
                     mountPath: /opt/harness-delegate/ca-bundle/ca.bundle
                     subPath:  ca.bundle
                 volumes:
                 - name: certvol
                   secret:
                     secretName: addcerts
                     items:
                     - key: ca.bundle
                       path: ca.bundle

   Both CI build pods and the SCM client on the delegate support this method.

   CI_MOUNT_VOLUMES

   You must specify both ADDITIONAL_CERTS_PATH and CI_MOUNT_VOLUMES.

   For ADDITIONAL_CERTS_PATH, provide the path to the certificates in the delegate, such as /tmp/ca.bundle.

   For CI_MOUNT_VOLUMES, provide a comma-separated list of source:destination mappings where source is the certificate path on the delegate, and destination is the path where you want to expose the certificates on the build containers. For example:

   /tmp/ca.bundle:/etc/ssl/certs/ca-bundle.crt,/tmp/ca.bundle:/kaniko/ssl/certs/additional-ca-cert-bundle.crt

   The CI_MOUNT_VOLUMES list must include all certificates that your build containers need to interact with external services.

           env:  
           - name: ADDITIONAL_CERTS_PATH  
             value: /tmp/ca.bundle  
           - name: CI_MOUNT_VOLUMES  
             value: /tmp/ca.bundle:/etc/ssl/certs/ca-bundle.crt,/tmp/ca.bundle:/kaniko/ssl/certs/additional-ca-cert-bundle.crt  
           volumeMounts:  
           - name: certvol  
             mountPath: /tmp/ca.bundle  
             subPath:  ca.bundle 
          volumes:  
           - name: certvol  
             secret:  
               secretName: addcerts  
               items:  
               - key: ca.bundle  
                 path: ca.bundle
   caution

   Make sure the destination path is not same as the default CA certificate path of the corresponding container image.

   If you want to override the default certificate file, make sure the Kubernetes secret or config map (from step one) includes all certificates required by the pipelines that will use this build infrastructure.

3. Restart the delegate. Once it is up and running, exec into the container and ensure that the volume exists at the mounted path and contains your certificates.

Additional configuration for pipelines with STO scan steps

If you have STO scan steps in your pipeline, follow the steps to enable self-signed certificates, and complete the additional steps and requirements described in Adding Custom Artifacts to STO Pipelines.

Troubleshooting SCM service connection issues

If your builds fail due to a problem connecting to the scm service, add SCM_SKIP_SSL=true to the environment section of the delegate YAML. For more information about this issue, go to Troubleshoot CI.

If the volumes are not getting mounted to the build containers, or you continue to see certificate errors in your pipeline, try the following:

1. Add a Run step that prints the contents of the destination path. For example, you can include a command such as:

   cat /kaniko/ssl/certs/additional-ca-cert-bundle.crt

2. Double-check that the base image used in the step reads certificates from the same path given in the destination path on the Delegate.