Background
I'm building two Springboot applications with Java which I'm deploying on OpenShift in the same namespace using RedHat Universal Base Images. The applications communicate with each other through the Service URL. One of the applications functions as a server, the other one as a client. For the server I enabled TLS.
I'm using OpenShift service serving certificates to generate dynamically the certificates I need:
- secret: tls.key & cert.key (server)
- configMap: service-ca.crt (client)
I'm able to inject the certificates in the client- and server app through volumes and I'm able to curl from the client to the server container using https:
curl --cacert /etc/pki/ca-trust/extracted/java/service-ca.crt https://service-url
In order to let the client Java app use the service-ca.crt I need to import it to the cacerts. When I try to do this I get stuck because I don't have write permission in the container:
sh-4.4$ cd /etc/pki/ca-trust/extracted/java; ls -ll
total 0
lrwxrwxrwx. 1 root 1000970000 14 Jul 4 12:45 cacerts -> ..data/cacerts
lrwxrwxrwx. 1 root 1000970000 21 Jul 4 12:45 service-ca.crt -> ..data/service-ca.crt
sh-4.4$ keytool -import -noprompt -file service-ca.crt -alias service-x-ca -keystore cacerts -storepass changeit
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: cacerts (Read-only file system)
If this succeeds, the next step will be to try to set the service-ca through a command in initContainers and set the truststore via the env var JAVA_OPTIONS.
Questions
- How can I update cacerts and inject my service-ca.crt in the container?
- Is it that I don't have write permissions because of rootless containers/RedHat UBI? If yes, is there a kind of a workaround without the need for another base image? I saw in another stackoverflow thread from a couple of years ago some suggestions, but not really a solution
