Skip to main content
If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a corporate CA certificate, the reporter will fail with x509: certificate signed by unknown authority. To fix this, make the appliance’s CA bundle available to the reporter. The chart offers two ways to do this. Use whichever fits your deployment flow.
1

Create a Secret containing the corporate CA certificate

PEM format, single cert or bundle:
kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt
2

Enable the wrapper in values.yaml

customCA:
  enabled: true
  secretName: corporate-ca-bundle
  key: ca.crt
The chart mounts the certificate as a single file at /etc/ssl/certs/kosli-custom-ca.crt using subPath. Go’s standard library on Linux loads CA roots in two independent passes — it reads the system bundle file (e.g. /etc/ssl/certs/ca-certificates.crt) and also scans /etc/ssl/certs/ for additional certificate files. The mounted file is picked up by the directory scan and added to the trust store alongside the system roots, so no SSL_CERT_FILE env var is needed. The wrapper deliberately does not set SSL_CERT_FILE. Setting it would replace the system bundle entirely with the customer’s file, breaking trust for any public CAs the bundle does not include.

Option 2 — generic extraVolumes / extraVolumeMounts / extraEnvVars

Use these when you need a non-default mount path, a ConfigMap instead of a Secret, multiple volumes, or any other shape the wrapper does not cover:
extraVolumes:
  - name: corporate-ca
    secret:
      secretName: corporate-ca-bundle

extraVolumeMounts:
  - name: corporate-ca
    mountPath: /etc/ssl/certs/corporate
    readOnly: true
If you mount the CA outside /etc/ssl/certs/ and set SSL_CERT_FILE via extraEnvVars, your bundle must include the public CAs you also need to trust — Go uses only that file when SSL_CERT_FILE is set.

Pod Security Standards

Both options use secret-backed volumes, which are permitted under the Pod Security Standards restricted profile. hostPath mounts are not permitted under that profile and should not be used here.

Cluster-wide alternative

If you already run cert-manager’s trust-manager to distribute a corporate CA bundle into a well-known ConfigMap in every namespace, point extraVolumes / extraVolumeMounts at that ConfigMap instead of creating a per-namespace Secret.
Last modified on July 3, 2026