IBM Support

Disable SSL verification when accessing git server with a self-signed certificate in non-production environment

Question & Answer


Question

The SSL certificate verification error occurred when I tried to access git repositories over SSL and the server provides a self-signed certificate. I can run git config --global http.sslverify false within the asset-files-api pod to disable SSL verification, but this setting is get reset when the pod restarted. Could you tell me how to make this setting persistent?

Answer

Use following steps to keep git config --global http.sslverify false setting persistent, so this setting will be enabled after the asset-files-api pod get restarted.

[Steps]
1) Check the asset-files api pod
# oc get pod |grep files
asset-files-api-7c5c776677-phd4f                              1/1     Running     0          5d21h
2) Back up the deployment setting of asset-files pod 
# oc get deploy asset-files-api -o yaml > /tmp/asset-files-api-deploy-9827.yaml
# cat /tmp/asset-files-api-deploy-9827.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    cloudpakId: eb9998dcc5d24e3eb5b6fb488f750fe2
    cloudpakName: IBM Cloud Pak for Data
    deployment.kubernetes.io/revision: "2"
 ...
3) Edit sset-files-api-deploy deployment 
# oc edit deploy asset-files-api
4) Add following setting
Before: 
 ...
        image: image-registry.openshift-image-registry.svc:5000/zen/asset-files-api:v3.5.5_080621
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
 ...
After: 
 ...
        image: image-registry.openshift-image-registry.svc:5000/zen/asset-files-api:v3.5.5_080621
        imagePullPolicy: IfNotPresent
        lifecycle:
          postStart:
            exec:
              command:
              - /bin/sh
              - -c
              - git config --global http.sslCAInfo /etc/certificate/certificate.pem;
                git config --global user.email "@bhp.com"
        livenessProbe:
          failureThreshold: 5
 ...
5) Save the deployment, and confirmed the new pod is up and running 
# oc get pod |grep files
asset-files-api-657f7d4d5-gwm82                               0/1     Running             0          18s
asset-files-api-7c5c776677-phd4f                              1/1     Running             0          5d21h
NOTE:

The workaround is intended to be used for demo or test environment. Removing the SSL verification disproves the whole concept of having SSL implemented. Use proper CA signed certificate on production environment.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHUT6","label":"IBM Watson Studio Premium Cartridge for IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m0z000000Gp4cAAC","label":"Installation->Post-installation tasks"}],"ARM Case Number":"TS006627040","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 September 2021

UID

ibm16485877

Page Feedback