Our CoreOs boxes are behind a proxy that requires a custom CA Certificate to be installed. What is the best way to do that? It doesn’t appear that update-ca-trust works so it doesn’t look like I can drop anything in /etc/ssl/certs via ignition.
I’m guessing it may be possible to copy off the ca-bundle.ctrust.crt file, modify it externally and completely replace it via Ignition, but that sounds pretty extreme.
@seoras - were you able to drop files in and get it to work? We probably need a documentation example for this that explains the moving pieces. Would you be willing to write some?
I haven’t had a chance to dig into it yet. I did get an ignition error when trying it out but it was a bare metal server that I couldn’t get the console logs from so I don’t know what the error was. I will have another attempt on something I can control more and update this comment with the results.
It worked for me. I dropped a CA cert in /etc/pki/ca-trust/source/anchors with ignition and coreos-update-ca-trust.service automatically ran and added it to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem at boot. That’s awesome!