Provide guidance for using `update-ca-certificates` in distroless images

[lbussell]

Describe the Problem

Our Ubuntu Chiseled images only includes the ca-certificates_data slice, which excludes tools like update-ca-certificates in order to reduce image size (this utility isn't typically needed at container runtime). However, if users want to add certificates at container build time, there's no documented way to do so in Ubuntu Chiseled.

Describe the Solution

There should be a documented way to run the update-ca-certificates tool in the image's build layer, and copy the results to the runtime layer.

Other Information

Context: https://devblogs.microsoft.com/dotnet/announcing-dotnet-chiseled-containers/comment-page-2/#comment-20182

[lbussell]

Slightly related: #4997

[marcmognol]

Hi @lbussell

In my company, I do prefer mounting the certificate as a volumeMount instead of integrating it in the container image.

Below an example of my Deployment manifest :

          volumeMounts:
          - name: secrets
            subPath: ROOT-CA-CERTIFICATE
            mountPath: /etc/ssl/certs/contoso-ca-certificates.crt
            readOnly: true

The certificate is stored in a common keyvault and mounted as a volume in all my deployments. This way, I can update the certificate in the keyvault once, restart all deployments and voilà !

Let me know, if my answer is not clear.

[ladeak]

So you install the certificates with update-ca-certificates on a machine and mount the resulted file?

[marcmognol]

@ladeak

No, I don't setup the certificate on the machine with update-ca-certificates.
Our workloads are deployed in an Kubernetes cluster with AKS (Azure Kubernetes Services)

What I do:

• Extract the root CA certificate into a file
• Copy the content of this file into a keyvault,
• Mount the keyvault as a Volume in my kubernetes deployment with a SecretProviderClass

If you don't have such a system, you can put the certificate file in a folder and mount it into the container to the path I mentioned in my previous comment.

Marc

[ladeak]

I don't recall the exact problem, but my recollection says the above method did not work for all cases. I do use exactly the same approach, however some certs had to be 'installed'.

[jfheins]

We encountered the same issue. Chiseled images seem to work for us, save the custom certificate.
In our company, we add a company root CA into the container and execute RUN update-ca-certificates afterwards:

ADD --chmod=644  company_root_ca.crt /usr/local/share/ca-certificates/company_root_ca.crt
RUN update-ca-certificates

This is used for interfaces to other services within the company. So another team has a HTTPS endpoint that uses this internal cert and we want to do HTTPS requests to that service.
Thus (if I'm not mistaken) the running application needs this cert in the cert store.

Is there a way to make this work in a chiseled container?

[richlander]

Related: richlander/container-workshop#5 (comment)

[richlander]

You can also run update-ca-certificates in muti-stage-build.