Self Signed Certificates

This tutorial requires a Vault-CRD Version newer then 1.4.3
To use self signed certificates it's required to add to the main cacerts keystore the self signed certificate or the better solution is to add the root certificate of the self signed certificate.
For security reasons, I will not provide a way to ignore invalid certificates.
To build a Docker Image that contains a Self Signed Certificate we will use a Docker Image Pipeline. This Pipeline will take the default cacerts file from openjdk:8, add our self-signed certificate and afterwards add this certificate to our cacerts keystore.
FROM openjdk:8 AS BUILD
​
COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem
The last step is to add the edited cacerts keystore to vault-crd. Please replace in the FROM section the Docker Image Tag with the version you are planning to use:
FROM daspawnw/vault-crd:1.5.0
​
COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
Here the full example
FROM openjdk:8 AS BUILD
​
COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem
​
FROM daspawnw/vault-crd:1.4.3
​
COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
Install Vault-CRD
Enable Admission Webhook
Last updated 1 year ago