I have a Helm Chart. Which on deployment creates the following Kubernetes resources:
- A SSL enabled Service
- A Container created with my Docker image which internally runs a Java process that communicates with the above service.
- Kubernetes Secrets (SSL certificates and access keys), that are mounted inside the above container.
The problem is my Container can not talk to my Service unless I add the SSL certificate to Java certificates. I do this by running the following command manually inside my docker with root user.
cd ${JAVA_HOME}/jre/lib/security
keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias myservicecert -file /home/myuser/.myservice/certs/public.crt
I want to automate the above steps but facing issues:
- I can not perform above steps inside the
Dockerfile
since the certificate is not available at that time. Obivious. - I can not add these steps in
entrypoint.sh
file of the docker because entrypoint file is executed by a different user than the root. - Another solution that I could think of is that change the permission of path
${JAVA_HOME}/jre/lib/security/cacerts
to777
so that I can run these commands inentrypoint.sh
without an issue. But I am not sure if this is the correct way to go due to security reasons. Suggestions on this ? - I do not want to set a custom location for certificates using
Djavax.net.ssl.trustStore
because then java will not have access to root certificates.
What is correct way to achieve this?