feat(nomad-aws,nomad-gcp): add custom CA certificate support for Docker#264
Open
denislemire wants to merge 1 commit intomainfrom
Open
feat(nomad-aws,nomad-gcp): add custom CA certificate support for Docker#264denislemire wants to merge 1 commit intomainfrom
denislemire wants to merge 1 commit intomainfrom
Conversation
Add support for installing custom CA certificates on Nomad client hosts.
This allows Docker to pull images from registries that use certificates
signed by custom/private CAs.
Use case:
- Corporate environments with TLS-inspecting proxies
- Private Docker registries with self-signed certificates
- Air-gapped environments with internal CAs
Previously, custom CA certificates could only be passed to job containers
via the helm chart's `tls.certificate` setting and `CCI_ADDITIONAL_CA_CERTS_PATH`.
However, this only works AFTER containers start - it doesn't help the Docker
daemon on the host pull images in the first place.
Changes:
- Add `custom_ca_cert` variable (PEM format) to both nomad-aws and nomad-gcp
- Install CA to /usr/local/share/ca-certificates/ during cloud-init
- Run update-ca-certificates to add to system trust store
- Restart Docker daemon to pick up the new CA
Usage:
```hcl
module "nomad" {
source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws"
# ... other variables ...
custom_ca_cert = file("path/to/ca-cert.pem")
}
```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for installing custom CA certificates on Nomad client hosts, allowing Docker to pull images from registries that use certificates signed by custom/private CAs.
Problem
Previously, custom CA certificates could only be passed to job containers via the helm chart's
tls.certificatesetting andCCI_ADDITIONAL_CA_CERTS_PATHenvironment variable. However, this only works after containers start - it doesn't help the Docker daemon on the host pull images in the first place.This caused job failures (Exit Code 1) in environments with:
Solution
Add a new
custom_ca_certvariable that:/usr/local/share/ca-certificates/during cloud-initupdate-ca-certificatesto add to system trust storeUsage
Changes
nomad-aws/variables.tf- Addedcustom_ca_certvariablenomad-aws/main.tf- Pass variable to templatenomad-aws/template/nomad-startup.sh.tpl- Install CA, update trust store, restart Dockernomad-aws/README.md- Added usage examplenomad-gcp/variables.tf- Addedcustom_ca_certvariablenomad-gcp/main.tf- Pass variable to templatenomad-gcp/templates/nomad-startup.sh.tpl- Install CA, update trust store, restart DockerTest Plan
custom_ca_certset/usr/local/share/ca-certificates/circleci-custom-ca.crtdocker pullworks for images from registry using the custom CAcustom_ca_certis not set (empty string)