Configure a Kubernetes build farm to use self-signed certificates

CI build infrastructure pods can interact with servers using self-signed certificates. This option is useful for organizations that prefer to use internal certificates instead of certificates generated by a public Certificate Authority (CA).

info

This topic assumes that you are familiar with how to implement SSL in Kubernetes. General information about implementing SSL is outside the scope of this topic.
With a Kubernetes cluster build infrastructure, all Build and Push steps use kaniko. Kaniko reads certificates from /kaniko/ssl/certs/additional-ca-cert-bundle.crt.
Harness uses a UBI image for the Git Clone step. UBI reads certificates from /etc/ssl/certs/ca-bundle.crt.
Different base images use different paths as their default certificate location. For example, Alpine images use the path /etc/ssl/certs/ca-certificates.crt. For other images, make sure you verify the default certificate path.

Enable self-signed certificates

Create a Kubernetes secret or config map with the required certificates in the same namespace used by the Harness Delegate. For example:

apiVersion: v1
kind: Secret
metadata:
  name: addcerts
  namespace: harness-delegate-ng
type: Opaque
stringData:
  ca.bundle: |
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-------
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-------

Mount the secret as a volume on the delegate pod and add a volumeMount to your certificate files at /opt/harness-delegate/ca-bundle.

In the delegate pod, do the following:

Provide a comma-separated list of paths in the build pod where you want the certs to be mounted.
Mount your certificate files to /opt/harness-delegate/ca-bundle.

To mount the secret, go to the delegate Deployment YAML and update volumeMounts and volumes. For an example, expand the section below.

info

Secrets are retrieved by the delegate. For Kubernetes build infrastructure, secrets are set as Kubernetes secrets and passed to the pod.

YAML example: Mount the SSL certificate

Both CI build pods and the SCM client on the delegate support this method.

warning

Make sure the destination path is not same as the default CA certificate path of the corresponding container image.
If you override the default certificate file, make sure the Kubernetes secret or config map (from step one) includes all certificates required by the pipelines that will use this build infrastructure.

Restart the delegate. Once it is up and running, exec into the container and ensure that the volume exists at the mounted path and contains your certificates.

Enable self-signed certificates with a self-hosted image registry (advanced)

important

This workflow is applicable only if you're using a self-hosted registry to store your container images. For all other workflows, go to Enable self-signed certificates.

Create a Kubernetes secret or config map with the required certificates in the same namespace used by the Harness delegate. For example:

apiVersion: v1
kind: Secret
metadata:
  name: addcerts
  namespace: harness-delegate-ng
type: Opaque
stringData:
  ca.bundle: |
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-------
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-------

Mount the secret as a volume on the delegate pod.

In the delegate pod, do the following:

Add DESTINATION_CA_PATH to the environment.
Provide a comma-separated list of paths in the build pod where you want the certs to be mounted.
Mount your certificate files to /opt/harness-delegate/ca-bundle.

To add DESTINATION_CA_PATH and mount the secret, go to the delegate Deployment YAML and update env, volumeMounts, and volumes. For an example, expand the section below.

YAML example: Add DESTINATION_CA_PATH and mount the SSL certificate

Both CI build pods and the SCM client on the delegate support this method.

warning

Make sure the destination path is not same as the default CA certificate path of the corresponding container image.
If you override the default certificate file, make sure the Kubernetes secret or config map (from step one) includes all certificates required by the pipelines that will use this build infrastructure.

Legacy: CI_MOUNT_VOLUMES

If you're storing your certificates in a local registry and need to run Docker-in-Docker, specify the local certificate path on the delegate.

For example, if your self-signed certs are stored at https://my-registry.local.org:799 and you log in with docker login my-registry.local.org:799, then you add the path to your DESTINATION_CA_PATH environment like this:

 spec:
   containers:
   - image: harness/delegate:yy.mm.verno
     env:
     - name: DESTINATION_CA_PATH
       value: "/etc/docker/certs.d/my-registry.local.org:799/ca.crt,/etc/ssl/certs/ca-bundle.crt,/kaniko/ssl/certs/additional-ca-cert-bundle.crt"
     volumeMounts:
       - name: certvol
         mountPath: /opt/harness-delegate/ca-bundle/ca.bundle
         subPath:  ca.bundle
   volumes:
   - name: certvol
     secret:
         secretName: addcerts
          items:
          - key: ca.bundle
            path: ca.bundle

Restart the delegate. Once it's up and running, exec into the container and ensure that the volume exists at the mounted path and contains your certificates.

Troubleshoot Kubernetes cluster build infrastructures

Go to the CI Knowledge Base for questions and issues related to Kubernetes cluster build infrastructures, including use of self-signed certificates, such as:

Enable self-signed certificates​

Enable self-signed certificates with a self-hosted image registry (advanced)​

Troubleshoot Kubernetes cluster build infrastructures​

Enable self-signed certificates

Enable self-signed certificates with a self-hosted image registry (advanced)

Troubleshoot Kubernetes cluster build infrastructures