K
Q

Kubernetes: Populate certificates into keystores

7/16/2018

Guess you have deployed a service which's using certificates in order to create tls/https communications.

So, I need to deploy java client containers which have to trust with these certificates.

Nevertheless, java looks up in truststores in order to check whether the certificate is valid.

As you can see, I'm not able to create an image using these certificates since they are unknown in build time.

I mean, I'm not able to create this kind of Dockerfile snippet, due to /var/run/secrets/kubernetes.io/certs/tls.crt is not located on build-time.

RUN keytool -import -alias vault -storepass changeit -keystore truststore.jks -noprompt -trustcacerts -file /var/run/secrets/kubernetes.io/certs/tls.crt

So, how can I populate these truststores filled with these certificates when containers/pods are deployed/started?

I hope I've explained so well.

-- Jordi
java
kubernetes

Similar Questions

Kubernetes: Can't delete PersistentVolumeClaim (pvc)
How to order pods based on the nodes in kubernetes
How to get Kubernetes Ingress Port 80 working on baremetal single node cluster
minikube + kubernetes - unable to access the dashboard
add custom fields in Elasticsearch indices while pushing logs from Fluentd
Forbidden after enabling Google Cloud Groups RBAC in GKE
Getting all pods for a container, storing them in text files and then using those files as args in single command

1 Answer

1/4/2019

RedHat has a tutorial on how to do this on OpenShift:

https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift/

It uses OpenShifts built in CA to actually generate and supply the certificate, so if using vanilla k8s you'll need to do that yourself, but once you have the certificate in a file on the pod, the method is exactly the same.

-- James Roper
Source: StackOverflow