Add Custom Certificates to ESS Services#

In some cases, you may need to add custom certificates to the ESS services’ trust store. For example, you may need to add custom certificates to allow ESS services to communicate with services that do not use typical certificate authorities.

Warning

The following procedure modifies initContainers for your Kubernetes pods and may have far-reaching impact. Exercise care when using the following procedure.

Example Customization#

The following kustomization uses the Inrupt-provided load-custom-cert.yaml to add a custom certificate (named custom.crt in the example) from a ConfigMap when pods start running.

  1. Download the load-custom-cert.yaml to a temp directory.

    cd $(mktemp -d)
    
    docker run --rm -v $(pwd):/cert-example/ docker.software.inrupt.com/inrupt-kustomizer:2.3.0 cp -R /release/ess/deployment/kubernetes/components/openid-custom-certificate/ /cert-example/
    
  2. From the temp directory, copy the downloaded load-custom-cert.yaml to the ESS installation directory.

    cp openid-custom-certificate/load-custom-cert.yaml ${HOME}/ess/
    

    If saving to a directory different from the ESS installation directory, update the path to load-custom-cert.yaml in the kustomization.yaml step below.

  3. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  4. Save your custom certificate in a file named custom.crt.

  5. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

    Specifically, add the highlighted content to the kustomization.yaml file under the patches key and configMapGenerator key:

    Tip

    If patches key does not exist in kustomization.yaml, add the patches key as well.

    If configMapGenerator key does not exist in kustomization.yaml, add the configMapGenerator key as well.

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity
    # ...
    
    patches:
      - path: load-custom-cert.yaml
        target:
          kind: Deployment
          name: ess-openid
    
    configMapGenerator:
      - name: custom-certificate
        namespace: ess
        files:
          - custom.crt
    
  6. Continue with the rest of the Applying Your Customizations procedure.