1

I've seen another similar question here: Docker distroless image how to add customize certificate to trust store? but the answer relied on having the certificate available at image build time, which I do not have.

I am looking for a way to copy a CA certificate into a distroless based container image at Kubernetes pod deployment time and have the CA store get updated so that the certificate is considered valid by openssl.

I have seen that using kubernetes volumes I can share the certificate.crt into the container when it is deployed (it will be present at /usr/local/share/ca-certificates/cert.crt inside the container) but there is no update-ca-certificates or update-ca-trust command available inside of distroless - so how can I ensure that the CA store/bundle is properly updated to make the cert be considered valid? Note that editing/appending to the cert bundle manually is not recommended. We are looking for the proper way to execute update-ca-certificates inside of distroless.

I have seen examples with alpine base images where people have used apk to add the missing packages such as ca-certificates so that the update-ca-certificates command will be available. Is there a similar way to achieve this when building distroless images?

DaveUK
  • 1,440
  • 3
  • 18
  • 31
  • Can't you use `docker cp` to copy the file to where OpenSSL expects it to be? Namely `/etc/ssl/certs/ca-certificates.crt` (on Debian anyway). You would have to start with a generic version of that file and append your certs to it. Or am I misunderstanding the question? – garethTheRed Nov 28 '20 at 08:16
  • The question is about how to append our certs to that file (so that they are trusted) on container launch via Kubernetes. The correct process to do that is to place the cert at /usr/local/share/ca-certificates and then run update-ca-certificates to update the bundle and ensure it's trusted in the store. Updating the file manually is not recommended. With other image types (e.g. alpine) it is possible to prep the image at build time using apk to have the right tooling (update-ca-certificates) available when the container is launched. How can we prep distroless in the same way? – DaveUK Nov 29 '20 at 19:48
  • Have you considered using an [Issuer](https://docs.cert-manager.io/en/release-0.11/tasks/issuers/setup-ca.html)? Does it fit your use case? – Wytrzymały Wiktor Nov 30 '20 at 09:54
  • It’s a good thought, but I think that certmanager is aimed at creating/issuing new certs. In my scenario I need to trust an existing set of CA certs and will not be creating my own or issuing new certs. – DaveUK Dec 02 '20 at 05:26

1 Answers1

1

This is a community wiki answer. Feel free to expand on it.

The solution for your issue was proposed in this feature request:

Add option in cacerts rules to include additional ca certs #272

However, the request is still not merged and thus not available yet.

There is a workaround however which was explained here. Bear in mind that the workaround assumes that the initContainer is based on an image other than distroless.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37