Skip to content

document how to mount a custom CA bundle#1250

Merged
ktdreyer merged 1 commit intomainfrom
kdreyer/docs-custom-ca-bundle
Apr 10, 2026
Merged

document how to mount a custom CA bundle#1250
ktdreyer merged 1 commit intomainfrom
kdreyer/docs-custom-ca-bundle

Conversation

@ktdreyer
Copy link
Copy Markdown
Contributor

@ktdreyer ktdreyer commented Apr 8, 2026
edited by coderabbitai bot
Loading

Summary

Test plan

Closes #1248

Summary by CodeRabbit

  • Documentation
    • Added "Mounting a Custom CA Bundle" guide explaining how Ambient containers can trust private/corporate certificate authorities. Includes step-by-step workflows for OpenShift and generic Kubernetes deployments, a verification command, and a support status table noting backend-api as supported and runner pods as pending.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 8, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b07f5c41-732c-4749-a3d3-b12206810fa5

📥 Commits

Reviewing files that changed from the base of the PR and between 98314cb and cc650d3.

📒 Files selected for processing (1)
  • docs/src/content/docs/guides/custom-ca-bundle.md
✅ Files skipped from review due to trivial changes (1)
  • docs/src/content/docs/guides/custom-ca-bundle.md
📝 Walkthrough

Walkthrough

Added a new guide documenting how to configure Ambient to trust private/corporate CAs by updating the system CA bundle at /etc/pki/tls/certs/ca-bundle.crt. Describes OpenShift automatic injection via config.openshift.io/inject-trusted-cabundle and manual ConfigMap mounting for non-OpenShift clusters; notes runner pod support is pending.

Changes

Cohort / File(s) Summary
Custom CA Bundle Documentation
docs/src/content/docs/guides/custom-ca-bundle.md		 New guide "Mounting a Custom CA Bundle" explaining how Ambient reads /etc/pki/tls/certs/ca-bundle.crt, OpenShift trusted-ca-bundle injection workflow (use config.openshift.io/inject-trusted-cabundle: "true"), manual trusted-ca-bundle ConfigMap creation/mount for non-OpenShift, verification kubectl exec ... curl, and support status (backend-api supported; runner pods pending).
🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning Title lacks Conventional Commits format (missing type prefix like 'docs'). Should be 'docs: document how to mount a custom CA bundle'. Reformat title to follow Conventional Commits: 'docs: document how to mount a custom CA bundle'.
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed PR comprehensively addresses all objectives from #1248: explains CA usage, provides OpenShift and non-OpenShift workflows, specifies namespace deployment, includes verification steps, and notes pending runner pod support (#1247, #1038).
Out of Scope Changes check ✅ Passed Changes are entirely in-scope: single documentation file directly addressing #1248 requirements with no extraneous alterations.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity ✅ Passed Documentation-only change adding markdown guide; performance and algorithmic complexity checks are inapplicable to documentation files.
Security And Secret Handling ✅ Passed Documentation correctly uses ConfigMaps for CA certificates (public data), leverages OpenShift CA injection, and contains no hardcoded secrets, plaintext credentials, or injection vulnerabilities.
Kubernetes Resource Safety ✅ Passed Kubernetes manifests are safe: ConfigMaps properly namespace-scoped, volumes mounted read-only, no unsafe child resources or RBAC issues present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch kdreyer/docs-custom-ca-bundle
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch kdreyer/docs-custom-ca-bundle

Comment @coderabbitai help to get the list of available commands and usage tips.

@ktdreyer @claude
document how to mount a custom CA bundle
cc650d3 
Operators connecting Ambient to internal services over HTTPS have no
guidance on configuring TLS trust. Add a guide explaining the
OpenShift CA injection approach (annotate a ConfigMap, mount it over
the system CA path) as well as the manual ConfigMap option for other
Kubernetes distributions.

Closes #1248

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ktdreyer ktdreyer force-pushed the kdreyer/docs-custom-ca-bundle branch from 98314cb to cc650d3 Compare April 9, 2026 19:23
@ktdreyer ktdreyer enabled auto-merge (squash) April 9, 2026 19:23
@ktdreyer
Copy link
Copy Markdown
Contributor Author

ktdreyer commented Apr 9, 2026

We should also remove the docs about Self-Signed SSL Certificates from docs/internal/integrations/gitlab-self-hosted.md

@ktdreyer ktdreyer merged commit dc1f42e into main Apr 10, 2026
14 checks passed
@ktdreyer ktdreyer deleted the kdreyer/docs-custom-ca-bundle branch April 10, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeremyeder jeremyeder jeremyeder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: how to mount a custom CA bundle

2 participants

@ktdreyer @jeremyeder