Open aaron-trout opened 5 years ago
Joseph-Irving
commented
5 years ago Hey, thanks for the PR
We intentionally don't build our images with CA's installed, instead we leave it up to the user to mount in whatever CA is required, whether this be just mounting in the hosts CAs or mounting in a specific file.
pingles
commented
5 years ago Hi @aaron-trout, this came up in another project of ours (https://github.com/uswitch/kiam/pull/159) recently. I know having to mount the host certs it makes it slightly more onerous to cluster operators to deploy (and that it depends on host OS distro etc.) but it means that we can pick up updated certs much more easily than having to make sure we rebuild project docker images frequently enough.
I'd be interested in more reasons for/against but for now I'd strongly favour no certs in images.
aaron-trout
commented
5 years ago Thanks for the response; mounting in the hosts CA cert file would work but I think will be kubernetes environment specific (i.e. we have some stuff in GKE and some stuff in EKS so would be at different locations in each).
I don't have a super strong argument for bundling the public ca-certificates package, however I'll have to build a custom image to work around that (easier solution that selectively mounting files from the host.). Perhaps you could push to quay.io/uswitch/vault-creds:<tag_name>-alpine or similar as an additional image? I.e. have the default 'scratch' but also provide an alpine version?
Currently because the Docker image is
FROM scratch, there are no CA certificates available to validate the Vault server's certificate. We are using letsencrypt on our Vault API endpoint so by simply installing theca-certificatespackage the validation can pass.