I’m in the process of setting up an on-prem deployment. My company prefers to host almost everything internally, and we have our own certificate authority that issues certs for all of our internal sites. Our self-hosted gitlab, binderhub, and the in-deployment jupyterhub will all make use of this CA.
I’ve successfully stood up the site. However, in the process, I ran into an issue where in order to resolve the ref for the repo being requested, binderhub (or specifically the request being via AsyncHttpClient) needed to be aware of the CA. If it’s wasn’t, then I ran into ssl cert issues. In order to get past this, I mounted a secret, went into the code, and explicitly configured the individual api request to use ca_certs=’<ca_cert_bundle_path>’:
resp = yield client.fetch( api_url, user_agent="BinderHub", ca_certs='<<ca cert>>' )
I rebuilt, used my tweaked image, and successfully made the call to gitlab. Then I ran into the same ssl issues when calling the hub api after the completion of a build, and had to do some further tweaking. So I’ve gotten the deployment setup and it’s now working, but with a hacked copy of your source. This is unsustainable from my end, and I’d like to figure out a way to install and/or use my ca certs either through init containers or configuration options.
TL;DR: Is is possible to configure binderhub to use a specific client cert for all outgoing requests?
If you would like me to elaborate at all on what I know, let me know. And please feel free to direct me elsewhere if this isn’t the right place to raise this type of request.
Thanks for your help,