How to update the CA certificates within the Artifactory Pod?

ARTIFACTORY: How to add custom SSL certificates to an Artifactory pod using Helm charts
AuthorFullName__c
Shisiya Sebastian
articleNumber
000005905
FirstPublishedDate
2023-11-08T18:12:05Z
lastModifiedDate
2025-07-22
VersionNumber
3


By default the Artifactory pod is running as the user ‘artifactory’ and you do not have root access if you enter into the pod. In order to add the certificates to a container’s CA trust configuration files, root access is needed. We can make use of Custom init containers to run the necessary commands as root.

Here, we are using a Redhat container for the Artifactory and hence values.yaml is configured accordingly.

Step 1: Create a configmap using the certificate file that needs to be imported to the CA Certificates
 

kubectl create configmap my-certs --from-file=mycustom.crt -n <mynamespace>



Step 2: Use the below configuration snippet in the Artifactory values.yaml to import the certificates.

artifactory:
  customInitContainers: |
    - name: "sslsetup"
      image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }}
      imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} 
      securityContext:
        privileged: true
        runAsUser: 0
        runAsGroup: 0
        runAsNonRoot: false
      command:
        - 'sh'
        - '-c'
        - >
          mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
          /usr/bin/update-ca-trust extract;
      volumeMounts:
        - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
          name: artifactory-volume
        - name: my-certs
          mountPath: "/etc/pki/ca-trust/source/anchors/mycustom.crt"
          subPath: mycustom.crt
        - name: ssl-path
          mountPath: "/etc/pki/ca-trust/extracted"
          readOnly: false
  customVolumes: |
   - name: ssl-path
     emptyDir: {}
   - name: my-certs
     configMap:
       name: my-certs
  customVolumeMounts: |
   - name: my-certs
     mountPath: /etc/pki/ca-trust/source/anchors/mycustom.crt
     subPath: mycustom.crt
   - name: ssl-path
     mountPath: /etc/pki/ca-trust/extracted


Note: Please make sure that you do not have the same volume name or volume mount name not already used in your .yaml files. 


The above configuration performs the below actions:

  • Create a custom volume mount with the path /etc/pki/ca-trust/extracted  as an empty folder for the Artifactory pod
  • Create another custom volume mount with the path /etc/pki/ca-trust/source/anchors/mycustom.crt and get the contents from the config map
  • Then use these mounts in the Custom Init container
  • Then perform commands to import the CA certificates


Step 3: Now login into the Artifactory container and verify the URL using curl to confirm that SSL error is fixed.
 

kubectl exec -it artifactory-0 -c artifactory -n <mynamespace> -- bash
curl -v https://<mycustomurl>



References

  1. Artifactory Charts
  2. Adding certs to Java Keystore
  3. Using CustomInitContainers