In some cases, it may be necessary to trust additional Certificate Authority (CA) certificates for requests to internal services. For example, if an HTTP Proxy uses an SSL cert that is signed by an internal CA, replicated must be configured to trust that internal CA.
At Install Time
This can be accomplished by providing the path to the CA certificate during the install step with the tls_cert_path
parameter:
curl https://get.replicated.com/swarm-init | sudo bash -s tls_cert_path=/etc/pki/my-custom-bundle.cer
Similarly, for an airgapped installation, run
cat ./swarm-init.sh | sudo bash -s tls_cert_path=/etc/pki/my-custom-bundle.cer
For an existing installation
The stack can be updated in place with a new CA cert using the following command, replacing my-custom-bundle.cer
docker service update --mount-add type=bind,source=/etc/pki/my-custom-bundle.cer,target=/etc/ssl/certs/ca-certificates.crt,ro=1 replicated_replicated
Note
In both these cases, this can blow away the previous certificate bundle that was present in the replicated service, and cause other SSL certificates to become untrusted. If the app needs direct outbound access
to the internet, it may be necessary to modify the value of target
in the docker service update
command above.