UNCLASSIFIED - NO CUI

Skip to content

Using UBI image breaks the logic for adding Custom CA cert

Summary

Logic to add custom CA breaks with UBI base image as the underlying harbor script to add custom CA is only executed on Photon based images.

Steps to reproduce

Deploy Harbor using IB Helm Chart with a custom CA specified in the chart.

What is the current bug behavior?

The script to add a custom CA located at https://github.com/goharbor/harbor/blob/main/make/photon/common/install_cert.sh#L5 inside the core container skips adding the CA if the base image is not photon and since custom CA never works. If we use the image the from Dockerhub, the custom CA logic works since they are photon based images.

What is the expected correct behavior?

Adding custom CA should work regardless of the base image used.

Relevant logs and/or screenshots

This shows up in the core container logs Current OS is not Photon, skip appending ca bundle

#!/bin/sh

set -e

if ! grep -q "Photon" /etc/lsb-release; then
    echo "Current OS is not Photon, skip appending ca bundle"
    exit 0
fi

ORIGINAL_LOCATION=$(dirname "$0")

if [ ! -f $ORIGINAL_LOCATION/ca-bundle.crt.original ]; then
    cp /etc/pki/tls/certs/ca-bundle.crt $ORIGINAL_LOCATION/ca-bundle.crt.original
fi

cp $ORIGINAL_LOCATION/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt

# Install /etc/harbor/ssl/{component}/ca.crt to trust CA.
echo "Appending internal tls trust CA to ca-bundle ..."
for caFile in `find /etc/harbor/ssl -maxdepth 2 -name ca.crt`; do
    cat $caFile >> /etc/pki/tls/certs/ca-bundle.crt
    echo "Internal tls trust CA $caFile appended ..."
done
echo "Internal tls trust CA appending is Done."

if [[ -d /harbor_cust_cert && -n "$(ls -A /harbor_cust_cert)" ]]; then
    echo "Appending trust CA to ca-bundle ..."
    for z in /harbor_cust_cert/*; do
        case ${z} in
            *.crt | *.ca | *.ca-bundle | *.pem)
                if [ -d "$z" ]; then
                    echo "$z is directory, skip it ..."
                else
                    cat $z >> /etc/pki/tls/certs/ca-bundle.crt
                    echo " $z Appended ..."
                fi
                ;;
            *) echo "$z is Not ca file ..." ;;
        esac
    done
    echo "CA appending is Done."
fi

Possible fixes

Replace that script with another one which does the same logic for UBI based images.

Tasks

  • Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info

Edited by ANWAR CHIRAKKATTIL
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI