Docker: Insert certificate into ketstore

Asked 13/7, 2018 at 10:48 Answered 15/2, 2022 at 7:50

java docker kubernetes openshift dockerfile

I'm trying to add a certificate into $JAVA_HOME/jre/lib/security/cacerts truststore on my Dockerfile:

FROM frolvlad/alpine-oraclejdk8:slim
VOLUME /tmp
RUN keytool -import -alias vault -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -noprompt -trustcacerts -file /var/run/secrets/kubernetes.io/certs/tls.crt
ADD wseccloudconfig-0.0.1-SNAPSHOT.jar app.jar
RUN sh -c 'touch /app.jar'
ENTRYPOINT [ "sh", "-c", "java $JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -jar /app.jar" ]

As you can see I'm performing a command keytool... in order to insert the certificate to cacerts.

I'm deploying this image into my openshift/kubernetes cluster. Once I've connected to pod shell, I'm able to run this keytool... command rightly. So I mean, the command is well formed. There're no syntax problem or related issues...

So, I was excepting that the output of this command: keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts appears my certificate, but it doesn't appear.

Any ideas?

EDIT

Also I've tried writing this in Dockerfile:

CMD ["keytool", "-import", "-alias", "vault", "-storepass", "changeit", "-keystore", "$JAVA_HOME/jre/lib/security/cacerts", "-noprompt", "-trustcacerts", "-file", "/var/run/secrets/kubernetes.io/certs/tls.crt"]

Reinaldoreinaldos answered 13/7, 2018 at 10:48 Comment(6)

Maybe you should copy the file /var/run/secrets/kubernetes.io/certs/tls.crt into the container before running the keytool command. – Dorena 13/7, 2018 at 11:57

It's not possible. This file (tls.crt) is provided when the volume is mounted. It's not available at build time. Also I've tried with CMD. See post edition. – Reinaldoreinaldos 13/7, 2018 at 12:8

why don't cert be jks format? @Reinaldoreinaldos – Verein 13/7, 2018 at 12:16

If it's not available at build time, the keytool import cannot work. Modify your entry point so that it's a script which first imports the certificate then runs your jar. – Dorena 13/7, 2018 at 12:16

I think the solution is to add a CMD instead of changing ENTRYPOINT – Reinaldoreinaldos 13/7, 2018 at 12:20

Any fixed? I have a same issue – Alliterate 6/5, 2019 at 12:32

Just like someone already stated in the comment - if you want to use the crt file that gets mounted at deployment, you have to add the keytool command to the deployment.

The crt you are trying to access when building the container does not exist yet.

Blandishments answered 9/4, 2021 at 23:24 Comment(0)

if you want to add ca-certificates to your java keystore and supply them when the app is deployed, you should add the keytool command to your containers entrypoint script so it is performed when the certificate is available to your container.

entrypoint script:

#!/bin/sh

keytool -import \
-alias vault \
-storepass changeit \
-keystore $JAVA_HOME/jre/lib/security/cacerts \
-noprompt \
-trustcacerts \
-file /var/run/secrets/kubernetes.io/certs/tls.crt

java $JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -jar /app.jar

Dockerfile:

FROM frolvlad/alpine-oraclejdk8:slim

ADD wseccloudconfig-0.0.1-SNAPSHOT.jar app.jar

RUN sh -c 'touch /app.jar'

RUN mkdir -p /var/lib/wseccloudconfig && chmod -R 755 /var/lib/wseccloudconfig

COPY ./entrypoint.sh /var/lib/wseccloudconfig/

ENTRYPOINT ["/var/lib/wseccloudconfig/entrypoint.sh"]

not sure if I got the details right, but I hope you get the idea.

quick side note: jdk8 is kinda old at this point and if you are not bound to it for some reason, you should update to a newer jdk version. if you do that, be aware that the keytool command can change amongst different jdk versions.

Greengrocery answered 15/2, 2022 at 7:50 Comment(0)

Recommended topics

Hot tags