If S2I - "Source-to-image" resource in Openshift3 tries to connect to a TLS Gitlab repository shows the following message: "Peer's certificate issuer has been marked as not trusted by the user".
How can I instruct Openshift3 which certificates authorities are able to use there? Is there any config/option to bypass this error?
The command entered was:
oc new-app tomcat~https://gitlab.xxx/test/test.git --name=test --strategy=docker
On
Alternatively, I'd suggest just importing the root CA such that TLS validation works. Won't attempt to speak to all the reasons why this should be a must, but here's how you'd do it:
If you're running an internal Gitlab instance, whoever set it up should be able to point you to the root CA they're using.
#oc secrets new [secret name] ca.crt=[local .crt file]
oc secrets new tls-root-ca ca.crt=my-it-ca.crt
#oc patch bc/[build config name] --patch '{ "spec": {"source": { "sourceSecret": { "name": "[secret name]" } } } }'
oc patch bc/my-build --patch '{ "spec": {"source": { "sourceSecret": { "name": "tls-root-ca" } } } }'
In case you're not familiar with the patch command, this is just adding a "sourceSecret" block like this:
source:
git:
uri: https://your.gitlab.org/your-app
sourceSecret:
name: tls-root-ca
See also the openshift guide on build input secrets
For security reasons, you should add a trusted CA source secret to the BuildConfig. To answer your question, you can disable TLS verification by setting an environment variable
GIT_SSL_NO_VERIFYtofalsein the BuildConfig. Checks the docs here for more info.To pass this directly to the
oc new-appcommand runoc new-app --build-env GIT_SSL_NO_VERIFY=false