Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker: Allow vault cert to be validated by public CAs #17

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aaron-trout
Copy link
Contributor

Currently because the Docker image is FROM scratch, there are no CA certificates available to validate the Vault server's certificate. We are using letsencrypt on our Vault API endpoint so by simply installing the ca-certificates package the validation can pass.

@Joseph-Irving
Copy link
Contributor

Hey, thanks for the PR

We intentionally don't build our images with CA's installed, instead we leave it up to the user to mount in whatever CA is required, whether this be just mounting in the hosts CAs or mounting in a specific file.

@pingles
Copy link
Contributor

pingles commented Oct 18, 2018

Hi @aaron-trout, this came up in another project of ours (uswitch/kiam#159) recently. I know having to mount the host certs it makes it slightly more onerous to cluster operators to deploy (and that it depends on host OS distro etc.) but it means that we can pick up updated certs much more easily than having to make sure we rebuild project docker images frequently enough.

I'd be interested in more reasons for/against but for now I'd strongly favour no certs in images.

@aaron-trout
Copy link
Contributor Author

Thanks for the response; mounting in the hosts CA cert file would work but I think will be kubernetes environment specific (i.e. we have some stuff in GKE and some stuff in EKS so would be at different locations in each).

I don't have a super strong argument for bundling the public ca-certificates package, however I'll have to build a custom image to work around that (easier solution that selectively mounting files from the host.). Perhaps you could push to quay.io/uswitch/vault-creds:<tag_name>-alpine or similar as an additional image? I.e. have the default 'scratch' but also provide an alpine version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants