Hello,
I installed the awx project on an okd instance using the official playbook.
I’ve a problem to set the LDAPS authentication against our freeipa implementation.
The OKD node is integrated with Freeipa using the ipa-client-install command so it have the Freeipa certificate installed.
The problem is that I don’t have the Freeipa CA available in the awx_web container, Here’s the error on the awx_web container:
WARNING django_auth_ldap Caught LDAPError while authenticating user: SERVER_DOWN({'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)', 'desc': "Can't contact LDAP server"},)
I set this variable in the inventory but as it’s specified it seems that it’s just obeyed in local_docker install:
# CA Trust directory. If you need to provide custom CA certificates, supplying
# this variable causes this directory on the host to be bind mounted over
# /etc/pki/ca-trust in the awx_task and awx_web containers.
# NOTE: only obeyed in local_docker install
ca_trust_dir=/etc/pki/ca-trust/source/anchor
So when I check in the container the anchor folder contain nothing:
sh-4.2$ ls -l /etc/pki/ca-trust/source/anchors/
total 0
On the okd node:
[root@okdslv01p ~]# ls -l /etc/pki/ca-trust/source/anchors/
total 4
-rw-r--r--. 1 root root 1281 Dec 29 12:15 ca.crt
I also can’t use the the update-ca-trust as the root user don’t exist in the awx_web container, I can’t use sudo and I don’t have the right to write to the /etc/pki/ca-trust/source/anchors location:
sh-4.2$ su -
su: user root does not exist
sh-4.2$ touch /etc/pki/ca-trust/source/anchors/ca.crt
touch: cannot touch '/etc/pki/ca-trust/source/anchors/ca.crt': Permission denied
sh-4.2$ sudo touch /etc/pki/ca-trust/source/anchors/ca.crt
sudo: unknown user: root
sudo: unable to initialize policy plugin
How can I use AWX with my freeipa implementation using the openshift installation ?
How can I add certificate to the awx_web container ?
Best regards.
