This is a really cool feature available within OpenShift that allows users to be able to use the Web Console and quickly pop open a terminal for those times when just typing the command is easier than finding the corresponding buttons in the browser.
For a quick brief intro, read this.
For most oc
commands, this works beautifully. There was one use case we ran into at our customer site where they wanted to hit their self-hosted GitHub repository when running oc new-app
. Of course, their enterprise had their own certificate bundle that needed to be trusted.
Typically, within OpenShift, you would do something like this, which we did, however that did not work with this terminal pod.
Two of the maintainers of the Web Terminal Operator (WTO), Ilya and Angel, were absolutely fantastic and pointed us to the underlying technology of the DevWorkspace Operator (DWO) that had the answer.
WTO, by way of DWO, supported automounted configmaps whereby we could inject/mount the certificate bundle into the terminal pod. The exact documentation around that is here.
But they went even further in making things easier. Just use this configmap!
apiVersion: v1
kind: ConfigMap
metadata:
name: test-ca-certs
labels:
config.openshift.io/inject-trusted-cabundle: "true"
controller.devfile.io/watch-configmap: "true"
controller.devfile.io/mount-to-devworkspace: "true"
annotations:
controller.devfile.io/mount-as: "subpath"
controller.devfile.io/mount-path: /etc/pki/ca-trust/extracted/pem/
data: {}
That beautiful yaml
will mount the ca-bundle.crt
from the injected configmap into all terminals in that namespace.
There is one gotcha though, which is that the file is mounted as /etc/pki/ca-trust/extracted/pem/ca-bundle.crt
instead of /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
which may cause issues.
Also remember to restart the terminal so the secret is picked up/mounted.