unzip initContainer SSL certificate problem: unable to get local issuer certificate

[cmanzur]

FEATURE REQUEST: Add custom CA certificates

What happened:
We are using MINIO instead of S3 to store the zip functions.
The initContainer unzip:latest is getting an error when trying to curl MINIO:
curl: SSL certificate problem: unable to get local issuer certificate

This is because is signed with our internal CA, so the initContainer fails exactly on this line:

• file: pkg/utils/kubelessutil.go
• line: prepareCommand = appendToCommand(prepareCommand, fmt.Sprintf("curl '%s' -L --silent --output %s", function, fromURLFile))

Basically we have 3 options:

• Option 1: Add a curl -k (bad approach)
• Option 2: Mount our CA certificate inside the initContainer.
• Option 3: Create a custom unzip image with the our CA inside. This is what I did and it works!

The problem with Option 3 is that it's not dynamic. If a change the S3 endpoint I'll have to recreate the docker image.

How can we achieve the Option 2 in a proper way?

How to reproduce it:

cat serverless.yml

service: poc-python

provider:
  name: kubeless
  runtime: python3.7
  namespace: lambda
  deploy:
    strategy: S3ZipContent
    options:
      accessKeyId: ${env:MINIO_ACCESS_KEY}
      secretAccessKey: ${env:MINIO_SECRET_KEY}
      endpoint: https://minio.example.com # This endpoint is external signed with our CA.
      bucket: serverless
      region: us-east-1
      s3ForcePathStyle: true

plugins:
  - serverless-kubeless

functions:
  main:
    handler: handler.hello

pip install -r requirements.txt -t requirements
zip -r artifact.zip requirements/ handler.py
sls deploy --config serverless.yml -v -p artifact.zip

Environment:

• Kubernetes version: v1.20.0
• Kubeless version: 1.0.8
• Physical cluster

[RobinVds]

Got it to work by entering the deps directly in the yaml file