Add custom certificates to a pipeline
Some organizations prefer to use custom SSL certificates instead of certificates generated by a public Certificate Authority (CA). If your organization uses internal certificates, you need to set up Harness to use these certificates.
Harness supports three workflows for using custom certificates. You can add your certs to the delegate, to individual pipelines, or to the container images you use to run your scans.
When to add custom certificates to a pipeline for STO
Harness STO supports three workflows for running scans with custom certificates. This workflow is recommended if either of the following are true:
-
You're using any delegate type other than Kubernetes or Docker, such as a Harness Cloud delegate.
-
You cannot access or customize your delegate directly.
You can also use this workflow if the external scanner requires additional files, such as auth script or license files, to run scans. For example, ZAP scans might require context files as noted below.
Important notes for adding custom certificates to a pipeline for STO
-
You must have root access to perform the workflow documented below.
-
Make sure that your certificates meet all requirements of the external scan tool. Your certificates must be valid, unexpired, and have a complete trust chain.
-
STO supports certificates in PEM and Distinguished Encoding Rules (DER) format.
-
Harness STO does not support certificate bundles. Each certificate should be specified in its own file. If you have a bundle that you want to use with an external scanner, Harness recommends that you split the bundle into individual files.
-
Store each certificate file as a Harness file secret. You can also use third-party managers such as HashiCorp Vault, Azure Key Vault, and AWS Secrets Manager. For more information, go to Harness Secrets Manager Overview.
-
You must include all required files in /shared/customer_artifacts/ or a related subfolder, as described below. You can include any number of certificates or other files in or under this folder.
-
Save each SSL certificate file to /shared/customer_artifacts/certificates/
<certificate_name>.
- To troubleshoot SSL issues, go to Troubleshoot SSL in STO.
Workflow for adding custom certificates to a pipeline for STO
This workflow applies to all supported build infrastructures. It also applies to STO on SaaS, as well as Harness Self-Managed Platform.
-
For each artifact that contains sensitive information, such as an SSL certificate, create a Harness secret.
-
Go to the pipeline where you want to add the artifact.
-
In the stage where that will use the artifact, go to Overview > Shared Paths and create a folder under /shared such as /shared/customer_artifacts.
-
Add a Run step to the stage that adds the artifacts to the shared folder. This step needs to run before the scanner step that uses the artifact.
Example workflow for adding custom certificates to a pipeline for STO
This example shows how to include a PEM file in a pipeline that runs a scan using a Security step. This workflow assumes that you have a valid PEM stored as a Harness File Secret.
-
In your Harness pipeline, go to the Overview tab of the Security stage. Under Shared Paths, enter the following shared path:
/shared/customer_artifacts/certificatesThis is the default certificate location for Harness pipelines. You can copy any number of certificates to this folder.
-
Add a Run step that copies your PEM file to the certificates folder. Here's some example code that does this:
set -e
touch /shared/customer_artifacts/certificates/certificate
printf "%s" "$NEWCERT" > /shared/customer_artifacts/certificates/certificate -
Set up the remaining downstream steps in your pipeline. When the pipeline runs a SonarQube scan that requires a PEM, it looks in /shared/customer_artifacts/certificates and proceeds if it finds a valid certificate.
YAML pipeline example for adding custom certificates to a pipeline for STO
The following illustrates an end-to-end pipeline that copies a PEM certificate to the default location, builds an image, and then scans the image using SonarQube (authorized using the certificate).