Import a certificate in Docker image

Getting advice
1

Hello!

So, I am building a Docker image of Keycloak in order to include a SPI, theme and realm inside it.
It looks like this:

FROM quay.io/keycloak/keycloak:11.0.3

COPY keycloak-spi/build/libs/*.jar /opt/jboss/keycloak/standalone/deployments/
COPY keycloak-theme/build/libs/*.jar /opt/jboss/keycloak/standalone/deployments/
COPY keycloak-infra/*.json /opt/realm/

When I run the image everything works fine. The issue is that my SPI does HTTP request towards some server where a proxy in the middle intercepts and rejects the request. I have then to import the needed certificate inside the image’s cert (as the java certs points to them). Hence, I added to the Dockerfile:

COPY keycloak-infra/*.cer /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust

The problem is that as the base image switches to the USER 1000 (which is normal) but then the user does not have the rights to execute update-ca-trust
So I resorted to do:

USER root
COPY keycloak-infra/*.cer /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
USER 1000

It seems to work (still some more tests to do) but my feeling is that it’s kinda wrong to switch back to the root user.

Is there any other way to manage such a thing?
Thanks!

2

You can build own tls-ca-bundle.pem with all required certs and then just replace current systems certs during build:

COPY tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

* you may need to use advanced COPY with [--chown=1000:1000]

But I would use volumes for /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - there is no need of docker image update, when new certs are released. Of course it depends on your deployment.

2 Likes
3

Thanks @jangaraj
Actually I consider moving to volumes and init containers to load everything so having an extra volume for the certs would be interesting.