Menu
Guess you have deployed a service which's using certificates in order to create tls/https communications.
So, I need to deploy java client containers which have to trust with these certificates.
Nevertheless, java looks up in truststores in order to check whether the certificate is valid.
As you can see, I'm not able to create an image using these certificates since they are unknown in build time.
I mean, I'm not able to create this kind of Dockerfile snippet, due to /var/run/secrets/kubernetes.io/certs/tls.crt is not located on build-time.
RUN keytool -import -alias vault -storepass changeit -keystore truststore.jks -noprompt -trustcacerts -file /var/run/secrets/kubernetes.io/certs/tls.crt
So, how can I populate these truststores filled with these certificates when containers/pods are deployed/started?
I hope I've explained so well.
595
You can renew your certificates manually at any time with the kubeadm certs renew command. This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in /etc/kubernetes/pki . After running the command you should restart the control plane Pods.
RedHat has a tutorial on how to do this on OpenShift:
https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift/
It uses OpenShifts built in CA to actually generate and supply the certificate, so if using vanilla k8s you'll need to do that yourself, but once you have the certificate in a file on the pod, the method is exactly the same.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
