Guess you have deployed a service which's using certificates in order to create tls/https communications.
So, I need to deploy java client containers which have to trust with these certificates.
Nevertheless, java looks up in truststores in order to check whether the certificate is valid.
As you can see, I'm not able to create an image using these certificates since they are unknown in build time.
I mean, I'm not able to create this kind of Dockerfile
snippet, due to /var/run/secrets/kubernetes.io/certs/tls.crt
is not located on build-time.
RUN keytool -import -alias vault -storepass changeit -keystore truststore.jks -noprompt -trustcacerts -file /var/run/secrets/kubernetes.io/certs/tls.crt
So, how can I populate these truststores filled with these certificates when containers/pods are deployed/started?
I hope I've explained so well.
RedHat has a tutorial on how to do this on OpenShift:
https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift/
It uses OpenShifts built in CA to actually generate and supply the certificate, so if using vanilla k8s you'll need to do that yourself, but once you have the certificate in a file on the pod, the method is exactly the same.