Hello Team,
We have implemented auth.jwt token to login grafana portal from our application without entering the credentials again. It works fine after adding our application CA cert into /etc/ssl/certs/ca-certificates.crt file in our kubernetes container as suggested by community experts.
But i realized it requires root level access. Did any one know how to update this file(/etc/ssl/certs/ca-certificates.crt file) Due to security reasons and best practices we can’t run any of our kubernetes container as root.
I have added below section in my grafana-values.yaml file(helm) to make it work with root user.
Please let me know if any one has any suggestions r feedback.
Define command to be executed at startup by grafana container
Hello @jangaraj ,
When i mount directly it actually replaces the entire ca-certificates.crt(file size should be greater than 221145) with our own ca cert. As you mentioned in another forum this could cause an issue when grafana talks to other services including gfarana.com
Hello @jangaraj ,
Got it. Thanks for the suggestion.
I think the Grafana standard CA’s gets generated only at the time of container starts and it places it in this location of the grafana pod…“/etc/ssl/certs/ca-certificates.crt”. Not sure how we can build our own Custom CA using the container run time generated CA’s and mount back again…
Do you have any sample references i can refer?.
Here is my current configuration looks like… We are using grafana helm(grafana-8.5.1.tgz) in kubernetes cluster.
You can’t have everything: there is no way to update CA at start, when Grafana container is rootless and that file is owned by root (I guess). You should switch to different tool if you need that, e.g. Cloud Foundry, which is able to manage custom CA in the containers.
ok Got it. So if the grafana container is running as non root user, then i should install the ca-certificates and create own bundle including our own cert + installed ca-certificate then mount back through volumeMounts to make it work. Is that correct?.
Based on @jangaraj suggestion i have created new configMap by adding my own ca-cert and append to the os ca-bundle and replaced with volumneMount in grafana-values file. Everything is working fine now…
Below line from helm hooks before create grafana container: