Enable CA certificates to be baked into an image #94
Comments
|
@dmikusa-pivotal If possible, we would like to have the certs we add also added to the java cert store. |
|
@jjsheridan - That happens elsewhere. The JVM provider buildpacks (Bellsoft, Microsoft, Amazon, etc...) will load the system certs into the JVM. If you add certs using ca-certificates buildpack, they'll get installed to the right place so that the JVM provider buildpacks can pick them up. |
|
@dmikusa-pivotal It sounds like I can accomplish adding custom certs by creating our own ca-cert buildpack. Is that correct? If so, what would be the drawbacks to this method? |
Sorry, not sure I follow what you'd need to create a buildpack to do. The Paketo ca-certificates buildpack will handle copying certs from bindings to a location that is suitable for them to be used by OpenSSL. In addition, all of the Paketo Java buildpacks, the ones that provide various vendors' OpenJDK binaries, should load all of the OpenSSL certificate into the JVM keystore. So the two buildpacks work together to get your bound CA certificates into the JVM keystore. How were you thinking another buildpack would fit in here? Is there a gap in functionality? If so, we can try to cover that in the Paketo buildpacks. We'd like them to cover most situations out-of-the-box. |
|
@dmikusa-pivotal As a way of including our custom certs in the system cert store. Couldn't this be done by creating our own ca-certificates buildpack that would include all the certs that come with the buildpack and just adding ours? |
If you want to create a buildpack that embeds your ca-certificates with the buildpack itself, you could do that. The Paketo ca-certificates buildpack doesn't have a way to do that. Typically what I see being done though, instead of a custom buildpack, is a custom stack (build/run image) with the CA certs already trusted in the base image. This has a couple of advantages:
There are probably other ways to attack this problem as well. |
|
@dmikusa-pivotal Thanks. The drawback I see is we would need to have some automation in place to upgrade our stack as updates are released. Given the way we're creating our images via AWS CodePipeline and CodeBuild, it might complicate things a bit too much. |
Prior to this PR, a helper is added at build time. This helper will execute in the runtime environment and load any ca-certs that are presented through a binding. This is the most flexible, but requires the individual executing the image to specify the binding with the CA certificates. If the CA certificates binding is skipped/forgotten, then the run will likely fail. Since CA certificates are public certificates and not secret, we can build the CA certificates into the image if the user would prefer. This provides the CA certificates by default, so there is no ca-certificates binding required at runtime. You can add additional CA certs at runtime with a binding, but you cannot remove CA certs baked into the image without rebuilding. To include in the image, set `BP_EMBED_CERTS=true` and rebuild your image. CA certificates are copied into the layer. Then the normal symlinking procedure is applied referencing the copies. This resolves #94. In addition, this PR deprecates `BP_ENABLE_RUNTIME_CERT_BINDING` because this has a default `true` value and we are moving all config to be default `false`. This env variable is replaced by `BP_RUNTIME_CERT_BINDING_DISABLED` which defaults to false. The meaning is basically the same. Going forward, set `BP_RUNTIME_CERT_BINDING_DISABLED=true` to remove the runtime helper from the produced image. Signed-off-by: Daniel Mikusa <[email protected]>
Prior to this PR, a helper is added at build time. This helper will execute in the runtime environment and load any ca-certs that are presented through a binding. This is the most flexible, but requires the individual executing the image to specify the binding with the CA certificates. If the CA certificates binding is skipped/forgotten, then the run will likely fail. Since CA certificates are public certificates and not secret, we can build the CA certificates into the image if the user would prefer. This provides the CA certificates by default, so there is no ca-certificates binding required at runtime. You can add additional CA certs at runtime with a binding, but you cannot remove CA certs baked into the image without rebuilding. To include in the image, set `BP_EMBED_CERTS=true` and rebuild your image. CA certificates are copied into the layer. Then the normal symlinking procedure is applied referencing the copies. This resolves #94. In addition, this PR deprecates `BP_ENABLE_RUNTIME_CERT_BINDING` because this has a default `true` value and we are moving all config to be default `false`. This env variable is replaced by `BP_RUNTIME_CERT_BINDING_DISABLED` which defaults to false. The meaning is basically the same. Going forward, set `BP_RUNTIME_CERT_BINDING_DISABLED=true` to remove the runtime helper from the produced image. Signed-off-by: Daniel Mikusa <[email protected]>
Prior to this PR, a helper is added at build time. This helper will execute in the runtime environment and load any ca-certs that are presented through a binding. This is the most flexible, but requires the individual executing the image to specify the binding with the CA certificates. If the CA certificates binding is skipped/forgotten, then the run will likely fail. Since CA certificates are public certificates and not secret, we can build the CA certificates into the image if the user would prefer. This provides the CA certificates by default, so there is no ca-certificates binding required at runtime. You can add additional CA certs at runtime with a binding, but you cannot remove CA certs baked into the image without rebuilding. To include in the image, set `BP_EMBED_CERTS=true` and rebuild your image. CA certificates are copied into the layer. Then the normal symlinking procedure is applied referencing the copies. This resolves #94. In addition, this PR deprecates `BP_ENABLE_RUNTIME_CERT_BINDING` because this has a default `true` value and we are moving all config to be default `false`. This env variable is replaced by `BP_RUNTIME_CERT_BINDING_DISABLED` which defaults to false. The meaning is basically the same. Going forward, set `BP_RUNTIME_CERT_BINDING_DISABLED=true` to remove the runtime helper from the produced image. Signed-off-by: Daniel Mikusa <[email protected]>
Prior to this PR, a helper is added at build time. This helper will execute in the runtime environment and load any ca-certs that are presented through a binding. This is the most flexible, but requires the individual executing the image to specify the binding with the CA certificates. If the CA certificates binding is skipped/forgotten, then the run will likely fail. Since CA certificates are public certificates and not secret, we can build the CA certificates into the image if the user would prefer. This provides the CA certificates by default, so there is no ca-certificates binding required at runtime. You can add additional CA certs at runtime with a binding, but you cannot remove CA certs baked into the image without rebuilding. To include in the image, set `BP_EMBED_CERTS=true` and rebuild your image. CA certificates are copied into the layer. Then the normal symlinking procedure is applied referencing the copies. This resolves #94. In addition, this PR deprecates `BP_ENABLE_RUNTIME_CERT_BINDING` because this has a default `true` value and we are moving all config to be default `false`. This env variable is replaced by `BP_RUNTIME_CERT_BINDING_DISABLED` which defaults to false. The meaning is basically the same. Going forward, set `BP_RUNTIME_CERT_BINDING_DISABLED=true` to remove the runtime helper from the produced image. Signed-off-by: Daniel Mikusa <[email protected]>
|
@jjsheridan If you want, you can give https://github.com/paketo-buildpacks/ca-certificates/releases/tag/v3.2.0 a try. This has a PR I committed which allows one to include CA certificates into the built image. You then do not need to include them as a binding at runtime. This is convenient as it simplifies running the image. The downside is that it's less flexible. If you need to change the certs included with the image then you must rebuild the image. This should be included in the Paketo buildpacks composite & builder releases on Friday. To try now, just add |
|
Great, thanks @dmikusa-pivotal ! |
|
@dmikusa-pivotal I'm finally getting around to trying this, but since no binding is required, I'm not sure where the certs should be stored for pack to pick them up? |
|
@jjsheridan You would still need a binding, but only during build. So you would set After that, the CA certs are part of the image, so you do not need the binding at runtime. |
What happened?
Right now you need to pass ca-certificates bindings
at build andat runtime. The buildpack will add a helper which loads the certs in the runtime environment. You need to have the certs present at runtime though so the helper can load them.It's annoying to have to specify them twice.
We should support a more flexible configuration:
1. No build ca certs required to enable the helper. If you just need certs at runtime, then just set them at runtime.(this already works this way, it's enabled by default but you can opt-out and disable it).2. Embed ca certs into the image. CA certs are public certs, they are not secrets and we could include them in the image. It's just less flexible because you can't change the certs included at runtime. There is still utility in this though and we should allow it.
Checklist
The text was updated successfully, but these errors were encountered: