Custom CA procedure for S3 and Git

docs/admin/config/advanced-cluster-config.md

@@ -52,6 +52,19 @@ The following configurations allow you to enable or disable features, control pe
 | spec.runai-scheduler.args.verbosity (int) | Configures the level of detail in the logs generated by the scheduler service | 4 |
 | pod-grouper.args.gangScheduleArgoWorkflow (boolean) | Groups all pods of a single ArgoWorkflow workload into a single Pod-Group for gang scheduling. | true |
 
+### S3 and Git sidecar images
+For air-gapped environments, when [Working with a Local Certificate Authority](./org-cert.md), it is required to replace the default sidecar images in order to use the Git and S3 data source integrations. Use the following configurations:
+``` 
+workload-controller:
+  s3FileSystemImage:
+    name: goofys 
+    repository: gcr.io/run-ai-prod
+    tag: master
+  gitSyncImage:
+    name: git-sync
+    repository: registry.k8s.io
+    tag: v4.4.0
+```
 
 ### Run:ai Managed Nodes
 

docs/admin/config/org-cert.md

@@ -9,7 +9,7 @@ In the context of Run:ai, the cluster and control-plane need to be aware of this
 
 You will need to have the public key of the local certificate authority. 
 
-## Control-Plane Installation
+## Control-Plane
 
 * Create the `runai-backend` namespace if it does not exist. 
 * Add the public key to the `runai-backend` namespace:
@@ -21,7 +21,7 @@ kubectl -n runai-backend create secret generic runai-ca-cert \
 * As part of the installation instructions, you need to create a secret for [runai-backend-tls](../runai-setup/self-hosted/k8s/preparations.md#domain-certificate). Use the local certificate authority instead.
 * Install the control plane, add the following flag to the helm command `--set global.customCA.enabled=true`
 
-## Cluster Installation
+## Cluster
 
 * Create the `runai` namespace if it does not exist. 
 * Add the public key to the `runai` namespace:
@@ -37,5 +37,20 @@ kubectl -n openshift-monitoring create secret generic runai-ca-cert \
 * Install the Run:ai operator, add the following flag to the helm command `--set global.customCA.enabled=true`
 
 
+### Git and S3 
+Run:ai enables AI practitioners to integrate with S3 or Git as data sources.
+When using a custom CA, sidecar containers used for S3 or Git integrations do not automatically inherit the CA configured at the cluster level. This requires manually building a custom container for each integration based on the default Run:ai image while incorporating the local CA certificates.
 
+1. [build tag and publish](https://docs.docker.com/get-started/docker-concepts/building-images/build-tag-and-publish-an-image/) the images for the S3 / Git integrations using the following Dockerfile:
+```
+#FROM gcr.io/run-ai-prod/goofys:master # S3
+#FROM registry.k8s.io/git-sync/git-sync:v4.4.0 # Git
+USER root
+ADD anchors/ /usr/local/share/ca-certificates/
+RUN chmod 644 -R /usr/local/share/ca-certificates/ && update-ca-certificates
+WORKDIR /
+ENTRYPOINT ["sh"]
+CMD ["/usr/bin/run.sh"]
+```
+2. Edit the cluster configuration's for images used by Run:ai following the [S3 and Git sidecar images](./advanced-cluster-config.md#s3-and-git-sidecar-images) instructions.