How to import root CA certificate into Portworx
KB0014836
Pure Product
Portworx
Environment
Portworx 2.10 and newer.
Symptoms
Portworx is unable to reach/authenticate with required endpoints (e.g. Zuora billing server) because of mismatching cert.
Cause
1. Customer uses Zscaler proxy (or other proxy or monitoring appliance) which performs SSL inspection and modifies the certificate.
2. Customer uses self-signed certificates in their environment.
Resolution
1. Export root-CA in .pem format
echo | openssl s_client -connect <server>:<port> -showcerts | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > ca-bundle.pem
2. Create kubernetes secret with the above CA
kubectl -n kube-system create secret generic pwx-ca-bundle --from-file=ca-bundle.pem
3. Include new CA in Portworx
- For Operator based installations, edit the storagecluster object and add/modify the following:
kubectl edit stc -n kube-system
metadata:
annotations:
portworx.io/misc-args: "-CA /opt/pwx/oci/mounts/my-ca/ca-bundle.pem"
spec:
image: "portworx/oci-monitor:#.#.#"
volumes:
- name: my-ca
mountPath: /my-ca
secret:
secretName: pwx-ca-bundle
items:
- key: ca-bundle.pem
path: ca-bundle.pem
- For Daemonset based installations, edit portworx daemonset and add/modify the following:
kubectl edit ds portworx -n kube-system
spec:
template:
spec:
containers:
- image: portworx/oci-monitor:#.#.#
args:
...
- -CA
- /opt/pwx/oci/mounts/my-ca/ca-bundle.pem
volumeMounts:
- mountPath: /my-ca
name: my-ca
...
volumes:
- name: my-ca
secret:
secretName: pwx-ca-bundle
items:
- key: ca-bundle.pem
path: ca-bundle.pem