3

I am using a ssl certificate while building the docker image to communicate with other different services with in the Kubernetes. right now I have the ssl certificate in my repo and will be published as part of the artifact. we are planning to move the cert to key vault and fetch it while executing our pipeline. I am not sure how can I fetch it while building the docker image. I have tried the default azure key vault task and I am able to get the cert but its not a file(.crt or pfx).

Below is my final step in Docker Image

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
COPY $(ps-test-cert)  /usr/local/share/ca-certificates/ps-test-cert 
RUN chmod 644 /usr/local/share/ca-certificates/ps-test-cert
RUN update-ca-certificates
ENTRYPOINT ["dotnet", "Logging.API.dll"]

and the cert name in the key vault is ps-test-cert

Here is my key vault task

    - task: AzureKeyVault@1
      inputs:
        azureSubscription: 'ARMDeployment-Service-Conn'
        KeyVaultName: 'OneK-KeyVault'
        SecretsFilter: 'ps-test-cert'
        RunAsPreJob: false

Do I have to get the cert and publish as artifact? since I need this in the build time not sure how should I import the cert so that I can use.

Update

I am able to get the certificate using azure cli with the below command. but I am not sure how will I use that inside docker file.When I publish I can see that the certificate is there in the published items.

> az keyvault certificate download --vault-name one-KeyVault -n
> ps-test-cert -f cert.pem openssl x509 -outform der -in cert.pem -out
> ps-test-cert.crt

in the publish task, I can use it like this.

- task: PublishPipelineArtifact@1
  displayName: 'Publish Pipeline Artifact'
  inputs:
    targetPath: 'ps-test-cert.crt'
    artifact: test

How can I use it in docker file?

threeleggedrabbit
  • 1,722
  • 2
  • 28
  • 60

2 Answers2

1

Okay, Here is How I solved my current scenario. as updated in the question I was able to read the certificate from key vault. next piece was to access the cert within the docker file, since docker doesn't know the location(because its not part of the context), Its not able to read the cert. so, what I have done is used a copy task to add the cert to the source directory when docker context is set. then docker is able to see the certificate and access is(because its now in docker context).

below are the copy task, if that helps.

- task: CopyFiles@2
          displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)'
          inputs:
            Contents: |
              **\ps-test-cert.crt
            TargetFolder: '$(Build.SourcesDirectory)/Source/Logging.API/'

and in the docker file, I just have to use the name because its available inthe context.

COPY ps-test-cert.crt  /usr/local/share/ca-certificates/ps-test-cert.crt
RUN chmod 644 /usr/local/share/ca-certificates/ps-test-cert.crt
RUN update-ca-certificates
threeleggedrabbit
  • 1,722
  • 2
  • 28
  • 60
0

How to fetch Certificate from Azure Key vault to be used in docker image

According to the Azure Key Vault task:

Use this task to download secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords from an Azure Key Vault instance.

If the value fetched from the vault is a certificate (for example, a PFX file), the task variable will contain the contents of the PFX in string format.

So, this task will not download the certificate file directly. Then we could not use it in the dockerfile with syntax COPY $(ps-test-cert) /usr/local/share/ca-certificates/ps-test-cert.

As workaround, you could use powershell scripts to download and import to the file:

- task: AzurePowerShell@5
  displayName: 'import certificates'
  inputs:
    azureSubscription: ToMicrosoft365Customers
    ScriptPath: '$(System.DefaultWorkingDirectory)/_Microsoft365/import-certificatesFromKeyvault.ps1'
    ScriptArguments: '-vaultname $(vaultname) -tempStoreLocation "D:\a\_temp\"'
    errorActionPreference: continue
    azurePowerShellVersion: LatestVersion
    pwsh: true

You could check this document Using KeyVault certificates in Azure DevOps for the powershell scripts and some more details.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135
  • 1
    Thanks, I have tried that script since we are using ubuntu agent that import command wasn't available in powershell core. so, I have switched to az cli, I am able to fetch the certificate now using the cli, I am unable to use the certificate inside docker file though when I publish the artificate the certificate is visible. Here are the command I am using. how can I use that inside my docker file is I am trying. I have updated my question with latest details – threeleggedrabbit May 12 '21 at 04:39
  • @threeleggedrabbit, Glad to know you can downloaded the certificate. Need to confirm one things, what you mean "How can I use it in docker file?", use for what? What do you want to use the certificate to do in the docker image? like the `PublishPipelineArtifact` task to publish the certificate? Or any other? – Leo Liu May 12 '21 at 05:40
  • 1
    There is an internal service to service communication happening which require my app to communicate with https so I am adding certificate directly to the image and running it when container is removed or re-provisioned. – threeleggedrabbit May 12 '21 at 05:45
  • @threeleggedrabbit, OK, as I understand, you just need to access the certificate in the docker image, am I right? – Leo Liu May 12 '21 at 06:00
  • 1
    yes, I was able to do that through different way. Thanks – threeleggedrabbit May 12 '21 at 07:02
  • 1
    @threeleggedrabbit, You could get that certificate directly in the dockerfile. The `azure cli` will download the certificate file to the default work folder `$(System.DefaultWorkingDirectory)`. Then we could use this variable to get path of the certificate like `WORKDIR $(System.DefaultWorkingDirectory)` `COPY test.cert /usr/local/ps-test-cert `. Anyway, I am glad to know that you have found a solution to solve this problem. – Leo Liu May 12 '21 at 07:09