Air-gapped Red Hat repository certificate issue

[rosedovell]

Hello,

I'm trying to install the gpu-operator helm chart into an air-gapped environment using private repositories. To get around SSL for these repositories, I need to mount the certificate configmap like so in my values:

driver:
   certConfig:
      name: cert-config

(https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/install-gpu-operator-air-gapped.html)

Issue is that these certificates are going into /etc/pki/ca-trust/extracted/pem, which isn't a directory that Red Hat will read from when trying to validate the repositories. Can you please update the chart to instead place these in /etc/pki/ca-trust/source/anchors and run an 'update-ca-trust' command at the beginning of the nvidia-driver script used as the entrypoint for the driver container?

The extracted/pem directory is the output directory for certificates after they've gone through the update-ca-trust process, placing the certs directly there will not make them available to the system.

[github-actions]

This issue is stale because it has been open 90 days with no activity. This issue will be closed in 30 days unless new comments are made or the stale label is removed. To skip these checks, apply the "lifecycle/frozen" label.

[rahulait]

You can provide the certificate path in the custom repo list file you might be creating. So something like:

[private-repo]
name=My Driver Repo
baseurl=https://your.private.repo/path
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/ca-trust/extracted/pem/my-gpg.crt
sslverify=1
sslcacert=/etc/pki/ca-trust/extracted/pem/my-cert.crt

Basically, you can set the sslcacert path wherever it ends up inside the container.

To keep the issue tracker clean and focused on current and actionable topics, I am going to close this issue. If you are having issues even after setting this, please re-open this ticket so that it can be investigated further.