Add Custom Certificates to ESS Services
In some cases, you may need to add custom certificates to the ESS services’ trust store. For example, you may need to add custom certificates to allow ESS services to communicate with services that do not use typical certificate authorities.
Warning The following procedure modifies initContainers for your Kubernetes pods and may have far-reaching impact. Exercise care when using the following procedure.
Example Customization
The following kustomization uses the Inrupt-provided load-custom-cert.yaml to add a custom certificate (named custom.crt in the example) from a ConfigMap when pods start running.
Download the
load-custom-cert.yamlto a temp directory.cd $(mktemp -d) docker run --rm -v $(pwd):/cert-example/ docker.software.inrupt.com/inrupt-kustomizer:2.3.6 cp -R /release/ess/deployment/kubernetes/components/openid-custom-certificate/ /cert-example/From the temp directory, copy the downloaded
load-custom-cert.yamlto the ESS installation directory.cp openid-custom-certificate/load-custom-cert.yaml ${HOME}/ess/If saving to a directory different from the ESS installation directory, update the path to
load-custom-cert.yamlin thekustomization.yamlstep below.Go to your ESS installation directory:
cd ${HOME}/essSave your custom certificate in a file named
custom.crt.Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to thekustomization.yamlfile under thepatcheskey andconfigMapGeneratorkey:
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
patches:
- path: load-custom-cert.yaml
target:
kind: Deployment
name: ess-openid
configMapGenerator:
- name: custom-certificate
namespace: ess
files:
- custom.crtContinue with the rest of the Applying Your Customizations procedure.
Last updated