Login/Register
Docker distroless image how to add customize certificate to trust store?
Asked Answered
dockerfilegoogle-container-os
A

2

9

gcr.io/distroless/java

How to add custom pki certificate?

Airwoman answered 3/10, 2018 at 21:53 Comment(0)
S
11

The distroless images are based on Debian 9, so you can do a multi-stage build and do something like the following:

FROM debian AS build-env

# Add CA files
ADD my-ca-file.crt /usr/local/share/ca-certificates/my-ca-file.crt
RUN apt update -qqq && \
    apt install -yqqq ca-certificates && \
    update-ca-certificates

FROM gcr.io/distroless/base
COPY --from=build-env /etc/ssl/certs /etc/ssl/certs
Selfabsorbed answered 22/3, 2019 at 22:57 Comment(2)
This is a good suggestion for people who have the certificates available at image build time, but some (like myself) will not have the cert available until container deployment time. The cert can be shared into the container through k8s volumes, but it is not clear how to update the cert store within the container as update-ca-certificates and update-ca-trust are both missing. Any ideas?Ironsides
@daveUK have your secret in k8s secret, and use debian init-container with shared volume (/etc/ssl/certs) to populateXenophobe
O
0

Since this is distroless I don't add them to the system (linux), I add them straight to the java key store.

Here an example of adding Swisssign as certificate authority, otherwise not supported.

It's noteworthy that distroless have already set the password 'changeit' at build time, so don't change it (!) unless you replace the keystore altogether.

FROM gcr.io/distroless/java17:latest

# Adding Swisssign as certificate authority,
# Required by Six
#
# First add the certificates to the location otherwise expected by 'update-ca-certificates'
ADD Gold_G2.ca /usr/local/share/ca-certificates/gold_g2.crt
ADD SwissSign_RSA_TLS_OV_ICA_2021-1.ca /usr/local/share/ca-certificates/swisssign_rsa_tls_ov_ica_2021-1.crt

# However, since this is distroless, instead of 'update-ca-certificates'
# we import immediately into the java keystore
# distroless have set the password 'changeit' on buildtime, so until we create an all new keystore this will be it..
#
RUN [\
 "/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
 "-import",\
 "-trustcacerts",\
 "-cacerts",\
 "-noprompt",\
 "-storepass",\
 "changeit",\
 "-alias",\
 "Swisssign_Gold_CA-G2",\
 "-file",\
 "/usr/local/share/ca-certificates/gold_g2.crt"\
]

RUN [\
 "/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
 "-import",\
 "-trustcacerts",\
 "-cacerts",\
 "-noprompt",\
 "-storepass",\
 "changeit",\
 "-alias",\
 "Swisssign_RSA_TLS_OV_ICA_2021-1",\
 "-file",\
 "/usr/local/share/ca-certificates/swisssign_rsa_tls_ov_ica_2021-1.crt"\
]
Olodort answered 27/3, 2023 at 15:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.