Summary
Mount a prepared certificate file
Problem statement
Currently install-proxy-ca.sh requires sudo to run update-ca-certificates
Proposed change
Maybe this can be avoided by using an init container.
The init container would take a Debian /etc/ssl/certs/ca-certificates.crt, add the MITM certificate to it and save it as a volume. (Maybe the file could only contain the MITM certificate to make it simpler)
Then we mount that volume over the /etc/ssl/certs/ca-certificates.crt in the agent container.
Alternatives considered
Set environment SSL_CERT_FILE / NODE_EXTRA_CA_CERTS / REQUESTS_CA_BUNDLE etc.
I don't like this, since it's likely there will be tools that need different envs or don't support envs like that at all.
Scope
Not sure
Roadmap alignment
This will help reduce the agent container capabilities and the need for sudo (for that case)
Willingness to implement
No response
Checklist
Summary
Mount a prepared certificate file
Problem statement
Currently
install-proxy-ca.shrequiressudoto runupdate-ca-certificatesProposed change
Maybe this can be avoided by using an init container.
The init container would take a Debian /etc/ssl/certs/ca-certificates.crt, add the MITM certificate to it and save it as a volume. (Maybe the file could only contain the MITM certificate to make it simpler)
Then we mount that volume over the
/etc/ssl/certs/ca-certificates.crtin the agent container.Alternatives considered
Set environment SSL_CERT_FILE / NODE_EXTRA_CA_CERTS / REQUESTS_CA_BUNDLE etc.
I don't like this, since it's likely there will be tools that need different envs or don't support envs like that at all.
Scope
Not sure
Roadmap alignment
This will help reduce the agent container capabilities and the need for sudo (for that case)
Willingness to implement
No response
Checklist