Mounting an internal root CA across JupyterHub

abctaylor · March 13, 2024, 10:04pm

Currently, Python code cannot make requests to internal websites like https://whoami.corp.example.com which is signed by an internal CA.

AD FS authentication via OIDC/OAuth2 also does not work as it doesn’t trust the AD FS server which itself is signed by the same root CA.

It’s quite an annoying problem for on prem companies.

Is there some customization to values.yaml that could help us here?

abctaylor · March 13, 2024, 11:09pm

Tiny progress but not working:

singleuser:
  networkPolicy:
    enabled: false
  storage:
    extraVolumes:
      - name: corp-ca-cert-volume
        secret:
          secretName: corp-ca
    extraVolumeMounts:
      - name: corp-ca-cert-volume
        mountPath: /usr/local/share/ca-certificates/
        readOnly: true
  initContainers:
    - name: update-ca-certificates
      image: jupyter/base-notebook
      securityContext:
        runAsUser: 0
        runAsGroup: 0
        privileged: true
      command:
        - "update-ca-certificates"
        - "--verbose"

I now have my corp CA cert (which was made as a k8s secret from the original ca file) present in /usr/local/share/ca-certificates on user pods e.g. jupyter-foo. But if I exec into that container and use openssl to try to connect to some internal site, I get Verification error: unable to verify the first certificate. Manually specifying the root CA to use, which is present in the container, succeeds.

And of course, the Notebook (running some py code) can’t speak to anything internal either.

This also doesn’t solve the problem entirely because the hub container has no cert at all and won’t talk to AD FS for logins. Any help or tips are massively appreciated.

danil.k · February 12, 2025, 4:16pm

I know this topic is from about a year ago, but I spent a couple of days figuring out how to pass a corporate CA certificate into the JupyterHub pod because I needed it to trust our internal identity server. The suggestions I found online were a bit controversial, so I ended up making my own solution based on the one suggested by abctaylor. I wanted to share it here in case it might be helpful for someone else

hub:
  extraVolumes:
    - name: ca-certificates-store
      emptyDir: {}
    - name: global-root-ca
      configMap:
        name: global-root-ca
  extraVolumeMounts:
    - name: ca-certificates-store
      mountPath: /etc/ssl/certs
  initContainers:
    - name: update-ca-certificates
      image: debian:bookworm-slim
      command:
        - sh
        - -c
        - |
          apt-get update && apt-get install -y ca-certificates
          update-ca-certificates
          cp -r /etc/ssl/certs/* /ca-store/
      volumeMounts:
        - name: ca-certificates-store
          mountPath: /ca-store
        - name: global-root-ca
          mountPath: /usr/local/share/ca-certificates

Topic		Replies	Views
Hub ssl verify error JupyterHub	6	2785	January 26, 2023
Unable to combine recreate_internal_ssl=False with external_ssl_authorities JupyterHub help-wanted	0	484	September 22, 2021
Jupyterhub on K8s: How to run a single command as root at container startup? JupyterHub	7	1593	December 17, 2021
Enabling JH to use an additional CA cert when calling private K8S API Zero to JupyterHub on Kubernetes help-wanted	2	1505	March 3, 2021
Unable to get Issuer certificate Zero to JupyterHub on Kubernetes	7	1931	July 7, 2023

Mounting an internal root CA across JupyterHub

Related topics