Import Self-Signed Certificates from Volume on Docker Container Start

[vosiander]

Is your feature request related to a problem? Please describe.

Yes, the problem revolves around handling self-signed certificates within Docker containers. Currently, there's no streamlined process to automatically import (self-signed) certificates when a container starts. This lack of automation requires manual intervention to ensure that containers trust self-signed certificates, which is both time-consuming and prone to human error. This is especially frustrating in environments that heavily rely on self-signed certificates for internal services, leading to trust issues and additional overhead in container setup.

Describe the solution you'd like

I propose that each Docker container should automatically import self-signed certificates from a specified volume upon start. This feature would look for a predefined directory within the container (e.g., /etc/ssl/certs/custom/) where self-signed certificates can be placed. Upon container startup, the system should automatically scan this directory and import any certificates found into the container's trusted certificate store. This process should be logged for audit purposes, ensuring visibility into which certificates were imported and when.

Describe alternatives you've considered

• Manual Certificate Import: This involves logging into each container after it starts and manually importing certificates. This is not scalable and prone to errors.
• Custom Initialization Scripts: Writing custom scripts that run on container start to import certificates. While this is more automated than the manual process, it requires custom scripting for each container image, increasing maintenance overhead.
• External Tools or Services: Utilizing external services to inject certificates into containers. This adds complexity and dependencies on external systems.

Acceptance Criteria

• Docker containers should automatically detect and import self-signed certificates from a specified volume at startup.
• The feature should support common certificate formats (e.g., PEM).
• Importing certificates should not require additional configuration or intervention once set up.
• There should be clear logging for the import process, indicating which certificates were imported and any failures.
• Ensure that the feature does not introduce security vulnerabilities or expose sensitive certificate data.

Additional context

In environments where self-signed certificates are frequently used (e.g., company internal certs, development, testing, and even some production scenarios), automating the process of trusting these certificates within containers can significantly streamline workflows and reduce setup errors. This feature would be particularly beneficial for organizations that use a large number of microservices or deploy containers dynamically.

[simonhir]

Hi Veit,

we internally also use custom certificates which we provide via environment vars for the java truststore. In my opinion that is also the best practice way to do it. In specific we mount the custom certificates via a Kubernetes deployment to /mnt/cacerts/cacerts-lhm, define the environment variable JAVA_OPTS_APPEND: "-Djavax.net.ssl.trustStore=/mnt/cacerts/cacerts-lhm" (could also be done as JAVAX_NET_SSL_TRUSTSTORE: /mnt/cacerts/cacerts-lhm) and if needed JAVAX_NET_SSL_TRUSTSTOREPASSWORD. Hope that answers and solves the problem.

Best regards Simon