add certificate to `gcr.io/distroless/java17-debian12:nonroot`

GoogleContainerTools / distroless

🥑 Language focused docker images, minus the operating system.

Apache License 2.0

18.17k stars 1.11k forks source link

add certificate to `gcr.io/distroless/java17-debian12:nonroot` #1591

Closed paul58914080 closed 1 month ago

paul58914080 commented 2 months ago

I would like to understand for a distroless image of gcr.io/distroless/java17-debian12:nonroot what is the best way to add a custom certificate(crt) to the jvm ?

paul58914080 commented 1 month ago

I tried to solve this by adding custom certificate like this

FROM gcr.io/distroless/java17-debian12:nonroot

COPY my.crt /etc/ssl/certs

USER root

RUN [\
 "/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
 "-import",\
 "-trustcacerts",\
 "-cacerts",\
 "-noprompt",\
 "-storepass",\
 "changeit",\
 "-alias",\
 "my",\
 "-file",\
 "/etc/ssl/certs/my.crt"\
]

USER nonroot

...

loosebazooka commented 1 month ago

I think you can generate your java certs file locally and just drop it into /etc/ssl/certs/java/cacerts instead of trying to do this on the distroless container.