Custom cacert/trust store supported? #689

DRoppelt · 2021-03-31T06:58:26Z

Hi,

given I develop applications for internal tooling, I have to deal with certificates signed by a private CA. i.e. for *.net adresses.

For "regular" images, I would add those CAs via RUN keytool -importcert -file ...

How would I do this for native images? Is this currently supported?

I found following so far:

"regular" images can be build via buildback https://paketo.io/docs/buildpacks/language-family-buildpacks/java/
- there I can find a component "Paketo CA Certificates Buildpack", which I assume is for adding custom CAs
native images are built via this buildpack: https://paketo.io/docs/buildpacks/language-family-buildpacks/java-native-image/
- where I dont see that component -> so I assume it wont work via a component
I have also not found anything here https://docs.spring.io/spring-native/docs/current/reference/htmlsingle/#native-image-options or in other docs related to GraalVM

Am I approaching this wrong or is that something currently not covered by any of those native-image approaches?

The text was updated successfully, but these errors were encountered:

scottfrederick · 2021-04-01T20:02:05Z

There are a few issues blocking the ability to use the Paketo CA Certificates mechanism with Spring Native images.

The CA Certificates buildpack is indeed missing from the Paketo Java Native Image buildpack. It was removed in an earlier version for compatibility reasons. I've created an issue to see if it can be restored now.

If the CA Certificates buildpack is available, it does not appear that the Paketo GraalVM buildpack will do what is necessary to provide the certificates to GraalVM at native build time. I've create an issue to explore this in the GraalVM buildpack.

Finally, the CA Certificates buildpack relies on CNB Bindings to provide the location of certificates to the buildpack. Spring Boot 2.4, which is the latest version currently supported by Spring Native, does not have a way to configure bindings in the Maven plugin spring-boot:build-image goal or the Gradle plugin bootBuildImage task. This ability will be available in Spring Boot 2.5.

sdeleuze · 2021-04-02T05:54:23Z

Thanks a lot @scottfrederick, let's turn this issue to a 0.10 documentation one.

sdeleuze · 2021-04-27T15:06:19Z

See also #748 (comment)

sdeleuze · 2021-05-14T12:16:09Z

This will be supported when 0.10.0 will be released via related buildpack update, see this comment for an example.

sdeleuze added the status: waiting-for-triage An issue we've not yet triaged or decided on label Mar 31, 2021

sdeleuze added type: documentation A documentation task and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Apr 2, 2021

sdeleuze self-assigned this Apr 2, 2021

sdeleuze added this to the 0.10.0 milestone Apr 2, 2021

sdeleuze mentioned this issue May 12, 2021

Support CA Certificates with native images paketo-buildpacks/graalvm#66

Closed

sdeleuze added type: question A question and removed type: documentation A documentation task labels May 14, 2021

sdeleuze closed this as completed May 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom cacert/trust store supported? #689

Custom cacert/trust store supported? #689

DRoppelt commented Mar 31, 2021

scottfrederick commented Apr 1, 2021

sdeleuze commented Apr 2, 2021

sdeleuze commented Apr 27, 2021

sdeleuze commented May 14, 2021

Custom cacert/trust store supported? #689

Custom cacert/trust store supported? #689

Comments

DRoppelt commented Mar 31, 2021

scottfrederick commented Apr 1, 2021

sdeleuze commented Apr 2, 2021

sdeleuze commented Apr 27, 2021

sdeleuze commented May 14, 2021