Configure a Kubernetes Build Farm to use Self-Signed Certificates

Updated 4 days ago by Doug Bothwell

CI build Infrastructure Pods can interact with servers using self-signed certificates. This option is useful for organizations that prefer to use internal certificates instead of certificates generated by a public Certificate Authority (CA). 

Review: Implementation Summary

To implement this functionality, do the following:

  1. Install the certificates on a volume in the same namespace used by the Harness Kubernetes Delegate that will be used by your CI Pipelines. The default namespace used by a Harness Delegate is harness-delegate-ng, but your Delegate might be installed in a different namespace.
  2. Mount the volume on the Delegate and build Pods. For details, see Configure a Pod to Use a Volume for Storage in the Kubernetes documentation.
  3. Add the following environment variables to each Pod. You can define these variables in the Advanced section of a CI Build Stage Overview, variables in a Pipeline stage, or add them to the Delegate namespace as shown in the steps below.
    1. ADDITIONAL_CERTS_PATH: the path to the certificates folder on the mounted volume. For example: /tmp/certs.
    2. CI_MOUNT_VOLUMES: a comma-separated list of mappings to mount a folder's contents onto all build containers. Each mapping consists of the certificates folder on the volume, a colon, and the path and filename of the CRT file in each container. For example:
      /tmp/certs:/etc/ssl/certs/ca-certificates.crt, /tmp/certs:/kaniko/ssl/certs/additional-ca-cert-bundle.crt, /tmp/certs:/other/path.crt
      This list must include all certificates that your build containers need to interact with external services.

Important Notes

  • Harness CI Build and Push steps use the kaniko plugin by default. You’ll need to mount the certificates to /kaniko/ssl/certs/additional-ca-cert-bundle.crt and then expose these certificates in the Delegate.
  • To verify the volume is mounted correctly, add a command to a Run step in the stage such as:
    cat /kaniko/ssl/certs/additional-ca-cert-bundle.crt

Step 1: Add Certificates to Delegate Namespace

Add the self-signed certificates to the workspace. For example, you could add a configmap.yaml to the Delegate namespace:


apiVersion: v1
kind: ConfigMap
metadata:
name: selfsignedcert
namespace: harness-delegate-ng
data:
ca.bundle: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Step 2: Add Certificate Volumes and Mappings

Add a mounted volume with the certificates and the environment variables needed to mount these certificates to the CI containers. You could add a statefulset.yaml like this to your Delegate namespace:

apiVersion: apps/v1
kind: StatefulSet
spec:
template:
spec:
env:
- name: ADDITIONAL_CERTS_PATH
value: /tmp/ca.bundle
- name: CI_MOUNT_VOLUMES
value: |-
/tmp/certs:/etc/ssl/certs/ca-certificates.crt,
/tmp/certs:/kaniko/ssl/certs/additional-ca-cert-bundle.crt,
/tmp/certs:/other/path.crt
volumeMounts:
- name: registrycertvol
mountPath: /tmp/ca.bundle
subPath: ca.bundle
restartPolicy: Always
volumes:
- name: registrycertvol
configMap:
name: selfsignedcert
items:
- key: ca.bundle
path: ca.bundle

Step 3: Verify That Your Volumes Are Mounted

To verify that the volume is mounted correctly, add a command to a Run step in the stage and include the following command:

cat /kaniko/ssl/certs/additional-ca-cert-bundle.crt


Please Provide Feedback