Injecting ssl certificates into pods using kubernetes/openshift functionality

[ultramaks]

We have an OpenShift application that runs on Java/Tomcat
It requires an ssl certificate when we use https routes to access the services and thus we have the following errors:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I understand, that JVM tries to find a valid certification path for the certificate and cannot. In usual situation there is a need to insert the certifiicate into JVM's cacerts store but we cannot modify deployments to add this functionality

I tried to insert certificates into OS (version 4.10) using the following tecnics

1. Enabling the cluster-wide proxy
2. Acme OpenShift
3. Cert-Manager with either generating self-signed or trying to embed CA certificates (also self-signed)

This did not help me due tp different errors/issues in every way. I wonder is there a way to use any (self-signed or CA signed) certificate in OS cluster so a pod's JVM can use it for trusting? Otherwise I'll need to think about modification of a vendor's application deployment to install there somehow the certificates directly which is not very convenient way of solving the issue (honestly this may not be a case at all)

[llomgui]

Hello,

The easy way is to insert the needed certificate in the pod.

You can create a secret with the certificate and mount it as a volume inside the pod.

[ultramaks]

Yes, I created a configMap with an updateв cacerts file and mount it in the init-container with copying it into a custom place and specifying this place in java options
That worked for me