Skip to content

Change additional cert file name to avoid conflicts

What does this MR do?

Update kaniko documentation for add custom CA certs to a file that will not conflict with public certs embedded in the kaniko container.

When a file '/kaniko/ssl/certs/ca-certificates.crt' is present with valid cert content, pulling containers from public repos will fail with "x509: certificate signed by unknown authority", however pulling / pushing from / to custom CA endpoints will be successful.

The workaround is to change the name of the custom CA cert bundle added to the kaniko's '/kaniko/ssl/certs/' path. In my case I called it 'additional-ca-cert-bundle.crt' and used the same content that is passed to GItLab security containers to perform scans.
The following is the full line of code used to make it work in my custom cert environment:

mkdir -p /kaniko/ssl/certs/  &&  touch /kaniko/ssl/certs/ca-certificates.crt  && touch /kaniko/ssl/certs/additional-ca-cert-bundle.crt &&  echo "$ADDITIONAL_CA_CERT_BUNDLE" > /kaniko/ssl/certs/additional-ca-cert-bundle.crt

This was not included in the documentation change, as it was not tested in enough target environments to validate that this level of complexity is required in all environments.

Related issues

Author's checklist (required)

Do not add the feature, frontend, backend, ~"bug", or database labels if you are only updating documentation. These labels will cause the MR to be added to code verification QA issues.

When applicable:

Review checklist

All reviewers can help ensure accuracy, clarity, completeness, and adherence to the Documentation Guidelines and Style Guide.

1. Primary Reviewer

  • Review by a code reviewer or other selected colleague to confirm accuracy, clarity, and completeness. This can be skipped for minor fixes without substantive content changes.

2. Technical Writer

  • Optional: Technical writer review. If not requested for this MR, must be scheduled post-merge. To request for this MR, assign the writer listed for the applicable DevOps stage.

3. Maintainer

  1. Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
  2. Ensure a release milestone is set.
  3. If there has not been a technical writer review, create an issue for one using the Doc Review template.

Merge request reports

Loading