🔐Custom CA Certs

Adding certificates at runtime

Terrakube componentes (api, registry and executor) are using buildpacks to create the docker images

When using buildpack to add a custom CA certificate at runtime you need to do the following:

Provide the following environment variable to the container:

SERVICE_BINDING_ROOT: /mnt/platform/bindings

Inside the path there is a folder call "ca-certificates"

cnb@terrakube-api-678cb68d5b-ns5gt:/mnt/platform/bindings$ ls

We need to mount some information to that path


Inside this folder we should put out custom PEM CA certs and one additional file call type

cnb@terrakube-api-678cb68d5b-ns5gt:/mnt/platform/bindings/ca-certificates$ ls
terrakubeDemo1.pem  terrakubeDemo2.pem  type

The content of the file type is just the text "ca-certificates"

cnb@terrakube-api-678cb68d5b-ns5gt:/mnt/platform/bindings/ca-certificates$ cat type

Finally your helm terrakube.yaml should look something like this because we are mounting out CA certs and the file called type in the following path " /mnt/platform/bindings/ca-certificates"

## Terrakube Security
    terrakubeDemo1.pem: |
      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----
    terrakubeDemo2.pem: |
      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

## API properties
  version: "2.11.2"
    value: /mnt/platform/bindings
    - name: ca-certs
        secretName: terrakube-ca-secrets
        - key: "terrakubeDemo1.pem"
          path: "terrakubeDemo1.pem"
        - key: "terrakubeDemo2.pem"
          path: "terrakubeDemo2.pem"
        - key: "type'
          path: "type"
  - name: ca-certs
    mountPath: /mnt/platform/bindings/ca-certificates
    readOnly: true

When mounting the volume with the ca secrets dont forget to add the key "type", the content of the file is already defined inside the helm chart

Checking the terrakube component two additional ca certs are added inside the sytem truststore

Added 2 additional CA certificate(s) to system truststore
Setting Active Processor Count to 2
Calculating JVM memory based on 5791152K available memory
For more information on this calculation, see https://paketo.io/docs/reference/java-reference/#memory-calculator
Calculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M -Xmx5033128K -XX:MaxMetaspaceSize=246023K -XX:ReservedCodeCacheSize=240M -Xss1M (Total Memory: 5791152K, Thread Count: 250, Loaded Class Count: 41022, Headroom: 0%)
Enabling Java Native Memory Tracking
Adding 126 container CA certificates to JVM truststore
Spring Cloud Bindings Enabled
Picked up JAVA_TOOL_OPTIONS: -Djava.security.properties=/layers/paketo-buildpacks_bellsoft-liberica/java-security-properties/java-security.properties -XX:+ExitOnOutOfMemoryError -XX:ActiveProcessorCount=2 -XX:MaxDirectMemorySize=10M -Xmx5033128K -XX:MaxMetaspaceSize=246023K -XX:ReservedCodeCacheSize=240M -Xss1M -XX:+UnlockDiagnosticVMOptions -XX:NativeMemoryTracking=summary -XX:+PrintNMTStatistics -Dorg.springframework.cloud.bindings.boot.enable=true

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 :: Spring Boot ::                (v2.7.8)

Additinal information about buildpacks can be found in this link:

Adding certificate at build time

Terrakube allow to add the certs when building the application, to use this option use the following:

git clone https://github.com/AzBuilder/terrakube
cd terrakube
git checkout <<TERRAKUBE-VERSION>>
mv EXAMPLE.pem bindings/ca-certificates

# This script should be run from the root folder

The certs will be added at runtime as the following image.

Last updated