Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688272 - Additional ca-trust store could not mount inside of the pod
Summary: Additional ca-trust store could not mount inside of the pod
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Seth Jennings
QA Contact: Jianwei Hou
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-13 12:27 UTC by Rutvik
Modified: 2019-03-13 19:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-13 19:35:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Rutvik 2019-03-13 12:27:08 UTC
Description of problem:

When updated all nodes in the cluster with some extra trusted ca certs however, they are not replicating down to the containers.

We can see a difference in the /etc/pki/ca-trust/extracted/java/cacerts keystore on the nodes vs the containers.

NOTE: After adding the certificates at "/etc/pki/ca-trust/source/anchors/", the  customer has updated the ca-trust by running the following command: 

$ /bin/update-ca-trust extract

Note: Also the docker service has been restarted on all nodes

Additional info:

There are 142 entries in the cacerts truststore on the Nodes and only 133 entries in the cacerts truststore in the containers.

Comment 1 Seth Jennings 2019-03-13 19:35:41 UTC
This is not a bug.

The customer should just put this CA in the truststore of the container image at image build time or inject it via a secret.  hostPath mounting the truststore from the host will likely encounter selinux issues.

Note You need to log in before you can comment on or make changes to this bug.