Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-1687

TektonCD operator overriding SSL_CERT_DIR may cause internal Certificate Authorithy to be ignored

XMLWordPrintable

    • 5
    • False
    • False
    • Hide
      * The `SSL_CERT_DIR` environment variable (`/tekton-custom-certs`) set by {pipelines-title} will not override the following default system directories with certificate files:
      ** `/etc/pki/tls/certs`
      ** `/etc/ssl/certs`
      ** `/system/etc/security/cacerts`
      Show
      * The `SSL_CERT_DIR` environment variable (`/tekton-custom-certs`) set by {pipelines-title} will not override the following default system directories with certificate files: ** `/etc/pki/tls/certs` ** `/etc/ssl/certs` ** `/system/etc/security/cacerts`
    • Pipelines Sprint 209, Pipelines Sprint 210, Pipelines Sprint 211

      When a pod is created as part of a PipelineTask, the Pipeline Operator sets the environement variable

      SSL_CERT_DIR=/tekton-custom-certs

      this has the effect of overriding the Certiticate Authority search path /etc/pki/tls/certs, see https://golang.org/src/crypto/x509/root_linux.go

      The result of this is a customer defined Certificated Authorithy, added in /etc/pki/tls/certs in a container image following the documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening#adding-new-certificates_using-shared-system-certificates

      Is this expected behaviour ?

      The overriding was added in

      https://github.com/tektoncd/pipeline/pull/2787/files

              concaf Shubham Minglani
              rhn-support-ekasprzy Emmanuel Kasprzyk
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: