How to update the CA certificates within the Artifactory Pod?

ARTIFACTORY: How to add custom SSL certificates to an Artifactory pod using Helm charts

AuthorFullName__c
Shisiya Sebastian
articleNumber
000005905
ft:sourceType
Salesforce
FirstPublishedDate
2023-11-08T18:12:05Z
lastModifiedDate
2023-11-06
VersionNumber
1

By default the Artifactory pod is running as the user ‘artifactory’ and you do not have root access if you enter into the pod. In order to add the certificates to a container’s CA trust configuration files, root access is needed. We can make use of Custom init containers to run the necessary commands as root.

Here, we are using a Redhat container for the Artifactory and hence values.yaml is configured accordingly.

Step 1: Create a configmap using the certificate file that needs to be imported to the CA Certificates
kubectl create configmap my-certs --from-file=mycustom.crt -n <mynamespace>


Step 2: Use the below configuration snippet in the Artifactory values.yaml to import the certificates.
artifactory:
  customInitContainers: |
    - name: "sslsetup"
      image: "{{ .Values.initContainerImage }}"
      imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
      securityContext:
        privileged: true
        runAsUser: 0
        runAsGroup: 0
        runAsNonRoot: false
      command:
        - 'sh'
        - '-c'
        - >
          mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
          /usr/bin/update-ca-trust extract;
      volumeMounts:
        - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
          name: artifactory-volume
        - name: my-certs
          mountPath: "/etc/pki/ca-trust/source/anchors/mycustom.crt"
          subPath: mycustom.crt
        - name: ssl-path
          mountPath: "/etc/pki/ca-trust/extracted"
          readOnly: false
  customVolumes: |
   - name: ssl-path
     emptyDir: {}
   - name: my-certs
     configMap:
       name: my-certs
  customVolumeMounts: |
   - name: my-certs
     mountPath: /etc/pki/ca-trust/source/anchors/mycustom.crt
     subPath: mycustom.crt
   - name: ssl-path
     mountPath: /etc/pki/ca-trust/extracted

Note: Please make sure that you do not have the same volume name or volume mount name not already used in your .yaml files. 


The above configuration performs the below actions:
  • Create a custom volume mount with the path /etc/pki/ca-trust/extracted  as an empty folder for the Artifactory pod
  • Create another custom volume mount with the path /etc/pki/ca-trust/source/anchors/mycustom.crt and get the contents from the config map
  • Then use these mounts in the Custom Init container
  • Then perform commands to import the CA certificates

Step 3: Now login into the Artifactory container and verify the URL using curl to confirm that SSL error is fixed.
kubectl exec -it artifactory-0 -c artifactory -n <mynamespace> -- bash
curl -v https://<mycustomurl>


References
  1. Artifactory Charts
  2. Adding certs to Java Keystore
  3. Using CustomInitContainers