mpepping
commented
10 months ago Just FYI; This is roughly how we build a custom image now.
FROM registry.example.com/k8up-io/k8up:v2.7.1
USER root
RUN \
apk add --no-cache openssl &&\
/usr/bin/curl "http://pki.example.com/RootCACert.crt" |\
/usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/root.crt; \
/usr/bin/curl "http://pki.example.com/intermediate.crt" |\
/usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/intermediate.crt; \
/usr/bin/curl "http://pki.example.com/myissuer.crt" |\
/usr/bin/openssl x509 -inform DER -outform PEM -out /usr/local/share/ca-certificates/myissuer.crt; \
/usr/sbin/update-ca-certificates
USER 6553
poyaz
Summary
As "an operator"\ I want "to use my custom CA bundle with K8up"\ So that "I can use a trusted, verified TLS connection to my backup backend"
Context
To handle TLS connections that use a custom/self-signed CA as certificate issuer, we now create our own K8up container images that includes our own certificates. This allows us to have a verified connection to our S3 compatible backup backend.
We would prefer to have an option in the K8up container image itself to refer a custom CA bundle. This is supported in Restic via the
--cacertflag.Effectively, we want to appoint a CA bundle file via an env.var or config file for the K8s Pod.
Out of Scope
Further links
568 comparable but stale
Acceptance Criteria
No response
Implementation Ideas
SSL_CERT_FILEvariable