This topic tells you how to configure your Tanzu Developer Portal to trust unusual certificate authorities (CA) when making outbound connections.
Tanzu Developer Portal might require custom certificates when connecting to persistent databases or custom catalog locations that require SSL. You use overlays with PackageInstalls to make this possible. There are two ways to implement this workaround: you can add a custom CA or you can deactivate all SSL verification.
ca_cert_data
is supported at the top level of its values file. Any number of newline-delimited CA certificates in PEM format are accepted.
For example:
# tap-gui-values.yaml
ca_cert_data: |
-----BEGIN CERTIFICATE-----
cert data here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
other cert data here
-----END CERTIFICATE-----
app_config:
# ...
Tanzu Developer Portal also inherits shared.ca_cert_data
from your tap-values.yaml
file. shared.ca_cert_data
is newline-concatenated with ca_certs
given directly to Tanzu Developer Portal.
shared:
ca_cert_data: |
-----BEGIN CERTIFICATE-----
cert data here
-----END CERTIFICATE-----
tap_gui:
ca_cert_data: |
-----BEGIN CERTIFICATE-----
other cert data here
-----END CERTIFICATE-----
app_config:
# ...
To verify that Tanzu Developer Portal has processed the custom CA certificates, check that the ca-certs-data
volume with mount path /etc/custom-ca-certs-data
is mounted in the Tanzu Developer Portal server pod.
NODE_TLS_REJECT_UNAUTHORIZED=0
. When the value equals
0
, certificate validation is deactivated for TLS connections.
To do this, use the package_overlays
key in the Tanzu Application Platform values file. For instructions, see Customize Package Installation.
The following YAML is an example Secret
containing an overlay to deactivate TLS:
apiVersion: v1
kind: Secret
metadata:
name: deactivate-tls-overlay
namespace: tap-install
stringData:
deactivate-tls-overlay.yml: |
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind":"Deployment", "metadata": {"name": "server", "namespace": "NAMESPACE"}}),expects="1+"
---
spec:
template:
spec:
containers:
#@overlay/match by=overlay.all,expects="1+"
#@overlay/match-child-defaults missing_ok=True
- env:
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
Where NAMESPACE
is the namespace in which your Tanzu Developer Portal instance is deployed. For example, tap-gui
.