Vault-CRD
Github
Search…
Introduction
How does Vault-CRD work?
Supported Secret Types
Change Detection
Install Vault-CRD
Self Signed Certificates
Enable Admission Webhook
Powered By GitBook
Self Signed Certificates
This tutorial requires a Vault-CRD Version newer then 1.4.3
To use self signed certificates it's required to add to the main cacerts keystore the self signed certificate or the better solution is to add the root certificate of the self signed certificate.
For security reasons, I will not provide a way to ignore invalid certificates.
To build a Docker Image that contains a Self Signed Certificate we will use a Docker Image Pipeline. This Pipeline will take the default cacerts file from openjdk:8, add our self-signed certificate and afterwards add this certificate to our cacerts keystore.
FROM openjdk:8 AS BUILD
COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem
The last step is to add the edited cacerts keystore to vault-crd. Please replace in the FROM section the Docker Image Tag with the version you are planning to use:
FROM daspawnw/vault-crd:1.5.0
COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
Here the full example
FROM openjdk:8 AS BUILD
COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem
FROM daspawnw/vault-crd:1.4.3
COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
Previous
Install Vault-CRD
Next
Enable Admission Webhook
Last modified 2yr ago
Copy link