Flux: How to add certificate for private docker registry

There is a PR (#1158) in the works which makes this clear.

Details about the required steps can be found here:

• https://github.com/weaveworks/flux/blob/84c6dd30be390346883b3514e5835d9fc6279047/site/faq.md#how-do-i-use-a-private-git-host-or-one-thats-not-githubcom-gitlabcom-or-bitbucketcom
• https://github.com/weaveworks/flux/blob/84c6dd30be390346883b3514e5835d9fc6279047/site/standalone/setup.md#using-a-private-git-host

Not quite the same thing -- those explanations are about the git SSH key, whereas the question is about a CA cert for a private docker registry.

@srikantheee84 My guess is that you can mount the certificate into the fluxd container's filesystem. If you can figure out where it's expected to be, we can try that. My guess is you need to mount it under /usr/local/share/ca-certificates/ (ref: https://github.com/gliderlabs/docker-alpine/issues/260).

I tired mounting certificate as configmap under /usr/local/share/ca-certificates/ but I didnt see certificate added to /etc/ssl/certs/ca-certificate.crt file after container started.

I think update-ca-certificates program needs to be installed as part of flux docker image and invoked as part of flux start up script.

As of now, updates-ca-certificates program not installed in the container.

Ahh yes, I missed that bit from the alpine linux issue -- that makes it a bit trickier doesn't it.
The flux image does contain update-ca-certificates, it's just not on the path because it's in /usr/sbin/.

You could either:

1. use an initContainer with your CA cert mounted into /usr/local/share/ca-certificates/to run/usr/sbin/update-ca-certificates`, with the result going into a volume shared between that and the fluxd container
2. kubectl exec into the flux pod, run the command, and put the result into a ConfigMap which you can mount into the right place (a bit like what we do for known_hosts)

I am reluctant to bake extra machinery into the released image, if it can be accomplished with Kubernetes config.

Great! It worked :-) I took your second approach. One more question: Is it required to have other certificates which is included in ca-certificates.crt ? Just want to be careful with the size restrictions on configmap.

It worked :-)

Fantastic! Do you reckon this is worth documenting in FAQs or the setup guide?

Is it required to have other certificates which is included in ca-certificates.crt ? Just want to be careful with the size restrictions on configmap.

I'd be quite cautious about removing other CA certs -- they may be used for other kinds of request, since they are used for SSL in general.

With respect to size limits on ConfigMaps, I think it used to be 1MB; I'm not sure there is a limit now. The ca-certificates.crt file on my local system is about 200KB.

It would be great to have this included in the Helm chart for Flux. Would you rather I opened a new issue for that, or is it worth re-opening this one?