Internal CA trust for project playbooks

Hello everyone,

I have a simple yet problematic situation.

I have an AWX 19.3 setup in an openshift cluster, and I have a gitlab repo that is hosting my playbooks and another for my collections.

When I try and import my collections, I have an error fatal: unable to access ‘https://gitlab/blabla/repo/’: SSL certificate problem: self signed certificate in certificate chain".

The IRC channel has advised me to build my own EE, but :

1/ I’m not sure on how to do that
2/ I’m not sure on how to do that while including my CA

If someone has a detailed view on how to build EE properly and sustainably, or on how to achieve my goal here, I’d be very glad.

Thanks a lot and happy automating !

I haven’t tested with our interal github yet as I just finished setting up the operator and a test AWX instance in the OpenShift 4.7 cluster.
As per one of the posts, I created following secrets with our internal CA that’s used by LDAP, git and others for HTTPS communication.

oc create secret generic org-ca-cert -n awx-test-ns --from-file=ldap-ca.crt=myorg-CA.pem --from-file=bundle-ca.crt= myorg-CA.pem

I have not customized the EE docker image yet, I do see that EE container has following mount now with the certificate data

/etc/pki/ca-trust/source/anchors/bundle-ca.crt

I have these entries in the AWX instance YAML

ldap_cacert_secret: org-ca-cert

bundle_cacert_secret: org-ca-cert

Here is how the documentation on how to write ee.

https://ansible-builder.readthedocs.io/en/latest/index.html

I also wrote something about it a while back

http://weiyentan.github.io/2021/creating-execution-environments/

Some things you may need to increment the versions for.

I hope it helps

The git ssl verification can be turned off in awx of you are so inclined . I’ll dig it up if you want to go down that path

That is EXACTLY what I’ve been looking for. Thank you so much.

I’ve added the bundle-ca.crt generic secret, and now my git SSL certs do not throw any errors.

Thanks again !