I have a grafana docker container running in an openshift environment.
I have a proxy in front of grafana which handles the SSL termination for grafana.
I am using grafana’s generic oauth mechanism for authentication.
I have a keycloak instance running with https.
Grafana gives the following error when someone tries to authenticate
lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post https://auth-server-url/auth/realms/ABC/protocol/openid-connect/token: x509: certificate signed by unknown authority”
I have already set all the variables required for generic oauth including the tls_cert, tls_key, tls_ca.
When I put certs from a well known CA like GoDaddy everything works fine.
But I have custom company generated certs with our own ca. I want to add this to grafana’s trusted CAs.
Build own crt file with all required CA certs and mount it to the /etc/ssl/certs/ca-certificates.crt (file location is valid for docker images based on the Debian) in the Grafana container.
You don’t create the directory inside the container. Instead, you mount the ca-certificates.crt into your container when creating it (docker run -v $PWD/ca-certifcates.crt:/etc/ssl/ca-certifcates.crt:ro ... if you’re on your desktop. Kubernetes has a similar way of mounting files into the container)
Alternatively you can build your custom container based on the grafana image. But then you need to rebuild it every time there is a new official grafana image. That can be automated, but that’s extra effort you need to supply.